Russia Hacked Microsoft Execs — SolarWinds Hackers at it Again | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Midnight Blizzard / Cozy Bear makes it look easy (and makes Microsoft look insecure).

Microsoft has been forced to disclose it was hacked by the Russian state. The hackers were inside Redmond’s network for a month and a half.

Putin’s goons got in easily, by spraying passwords at a test server until they succeeded—which really shouldn’t be possible. Then they pivoted to the production environment—which really shouldn’t be possible.

The obvious conclusion? Microsoft cloud security sucks. In today’s SB Blogwatch, we eyeroll furiously.

Your humble blogwatcher curated these bloggy bits for your enter­tainment. Not to mention: Magnet vs. Levitating.


What’s the craic? Frank Bajak reports—“Russian hackers accessed emails of senior leadership”:

Password spraying
State-backed Russian hackers broke into Microsoft’s corporate email system and accessed the accounts of members of the company’s leadership team, as well as those of employees on its cybersecurity and legal teams. … The intrusion began in late November and was discovered on Jan. 12.

Hackers from Russia’s SVR foreign intelligence agency used [a] brute-force attack technique … called “password spraying.” … Microsoft calls the hacking unit Midnight Blizzard … the same highly skilled Russian hacking team behind the SolarWinds breach. … Prior to revamping its threat-actor nomenclature last year, it called the group Nobelium. The cybersecurity firm Mandiant, owned by Google, calls the group Cozy Bear.


Horse’s mouth? Satya’s PR flaks flick the keys—“Microsoft Actions Following Attack”:

Additional details
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold. … This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors. … This incident has highlighted the urgent need to move … faster.

We are continuing our investigation and will take additional actions based on the outcomes. [We] will continue working with law enforcement and appropriate regulators. … We will provide additional details as appropriate.


So much PR waffle. Trust yborg for a snarky translation:

“We were pwned by the Russians (again) and they were reading all of Satya’s emails. But it’s okay, they were just looking for shout-outs to post in their interoffice Telegram channel for the lulz.”

I understand that the company has to minimize every breach, but this frankly looks a lot more serious than Microsoft suggests.


Yikes. Too harsh? h_b_s can only agree:

It’s clear to me Microsoft is no better at securing their own networks and systems than anyone else, given the same access to documentation and expertise. That being the case it becomes clearly evident that forcing people off on-prem services isn’t about security. It’s about Microsoft monetizing data and artificially inflating their Azure cloud numbers.


Let’s dive deeper. fuzzyfuzzyfungus figures the FAIL:

I’m having a little trouble wrapping my head around the “legacy non-production test tenant account” thing. Sure, everyone’s got some **** in a broom closet somewhere that doesn’t bear looking at, [but] it would have been generating authentication and mailbox access activity in a production tenant. … Isolation between tenants is supposed to be really strong.

Unless there’s something MS should really be telling us yesterday about the actual state of default separation between tenants, you shouldn’t just be able to move laterally between them without both sides having been configured to allow that—and both sides seeing your activity. … It honestly feels a lot more damning than the classic ‘server inside the firewall got forgotten about during project/org reshuffles, oops’ case.


Meanwhile, utdoctor mashes Underpants Gnomes with Captain Phillips:

1. Password spray.
2. Access non-prod environment.
3. ???
4. “Look at me, look at me. I am the CEO now.”


And Finally:


Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Geraldine le Meur (cc:by; leveled and cropped)

Recent Articles By Author


Click Here For The Original Story From This Source.

National Cyber Security