Situation Update
The following threat briefing is an update from a February 2024 threat briefing.
After initial reports that Midnight Blizzard (aka APT29 or NOBELIUM) compromised Microsoft and accessed corporate inboxes, investigations have revealed that this breach’s impact is severe and widespread. In March, Microsoft confirmed that Midnight Blizzard was able to access some of Microsoft’s source code and internal systems using the data they stole in January, and states the threat group is still using “secrets shared between customers and Microsoft in email,” among other types to launch password spraying attacks.
According to reports from the Scoop News Group and BleepingComputer, federal agencies may also be at risk due to this incident. In response, CISA has released Emergency Directive 24-02, tasking federal agencies with investigate potentially vulnerable email inboxes, rotate compromised credentials, and secure privileged Microsoft Azure accounts.
Why This Matters to MSPs
These updates on the Midnight Blizzard incident follow damning reports from the Cyber Safety Review Board,which investigated a Microsoft Exchange breach in 2023 and found Microsoft had failed to prioritize security and risk management. It also follows recent research from SOCRadar, which disclosed that Microsoft had exposed passwords, keys, and credentials on an Azure server exposed to the Internet.
Collectively, these incidents demonstrate that Microsoft’s baseline security measures are not sufficient for businesses that need to secure sensitive data or customer information. MSPs are more crucial to offering proactive security against cyber criminals targeting privileged attack surfaces than ever.