Microsoft’s Latest Hack Sparks Major Security Concerns – Source: www.databreachtoday.com

Governance & Risk Management
,
IT Risk Management
,
Legacy Infrastructure Security

Experts Warn Tech Giant Faces Potential for Future Cyberattacks After Email Hacking

Chris Riotta (@chrisriotta) •
January 22, 2024    

News that Russian state hackers had penetrated the inboxes of senior Microsoft executives using an unsophisticated hacking technique to gain initial access once again turned the computing giant into a byword for insecurity.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

Decades of security overhauls – including an initiative launched in November – suffered a public blow when Microsoft revealed Friday that Kremlin hackers had exfiltrated emails and documents from senior leadership and employees across the company’s cybersecurity and legal departments starting in late November (see: Microsoft: Russian Hackers Had Access to Executives’ Emails).

Microsoft emphasized that hackers – belonging to a threat actor tracked as Midnight Blizzard and also known as APT29 and CozyBear – had targeted only “a very small percentage of Microsoft corporate email accounts” to collect “information related to Midnight Blizzard itself.”

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company said.

There was nothing announced that required scrambling SOCs for a late-night frenzy of patching. But the incident nonetheless provoked questions about the company’s ability to secure itself and its customers – while also offering a lesson that any large enterprise should heed.

Mounting Security Concerns Over Microsoft

The Russian hacking is just the latest major security incident affecting Microsoft. The Redmond giant in 2023 disclosed that a group of Chinese hackers had gained unauthorized access to its customers’ email systems as part of an intelligence-gathering campaign that targeted federal agencies and other major organizations.

The company faced growing criticism from lawmakers and the public following the hacking. Newsweek reported that senators had written a bipartisan letter demanding further details about the extent of the breach. Heavy dependence on Microsoft alone to provide email security helped ensure the breach, suggested 14 senators of both parties. In a letter to State Department Chief Information Officer Kelly Fletcher, they asked for details on how the department would “ensure a more robust, layered cybersecurity architecture that includes multiple cybersecurity vendors for unclassified email.”

Microsoft later expanded access to its cloud logging capabilities at no additional cost to government and commercial customers after criticism that only customers who paid for the critical logging information had been able to detect the Chinese espionage campaign (see: Microsoft Expands Logging Access After Chinese Hack Blowback).

Experts told Information Security Media Group the incident could potentially leave Microsoft susceptible to future attacks from Kremlin-linked hacking groups.

Elia Zaitsev, chief technology officer for the security firm CrowdStrike, described the latest attack as “just the most recent in a barrage of breaches” and added that the Russian-linked cyber group “understands how to target and penetrate Microsoft’s networks, highlighting issues with their ability to secure their cloud infrastructure.”

Microsoft’s security team said in a blog post that Midnight Blizzard had used a password spraying attack – a brute force hacking method that typically involves running the same password guess through a number of accounts – and had gained a foothold into its systems through a legacy nonproduction test tenant account.

The hackers apparently obtained access to Microsoft accounts while evading detection for several weeks, until the breach was eventually discovered Jan. 12. Microsoft did not immediately respond to a request for comment

Tech Giant Increasingly a Major Target for Cyberattacks

Although major technology companies such as Apple, Verizon and Sony are all significant targets for cyberattacks due to their access to vast troves of sensitive user data, experts said that Microsoft remains particularly vulnerable due to its threat intelligence and data security operations.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said Kremlin hackers had targeted Microsoft due to the company’s “seminal threat research depicting the ongoing Russian cyber insurgency” against the U.S.

“I’m concerned that Microsoft’s infrastructure could now be used for island hopping against [its] customers,” Kellerman told ISMG.

Legacy Still Poses Critical Security Challenge Across Sectors

The breach provides further evidence that legacy tools, accounts and IT infrastructure can still pose critical vulnerabilities for all types of organizations, said Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

“The use of a password spray attack to gain access to email accounts underscores the importance of updating and securing outdated systems,” Plaggemier told ISMG, adding that Midnight Blizzard could leverage the insights it gained during the recent hacking for “further targeted attacks” or “to gain deeper access into Microsoft’s systems.”

Password spraying attacks are more effective on legacy accounts since those systems typically lack multifactor authentication requirements, feature outdated security measures and often were set up before organizations began to enforce more modern password policies. Microsoft said it was planning to apply current security standards to legacy systems – “even when these changes might cause disruption to existing business processes” – as it continues to investigate the hacking.

“This incident serves as a stark reminder that organizations need to prioritize modernizing their cybersecurity infrastructure,” Plaggemier said.

Zaitsev said the incident points to the “continued systemic risk created by Microsoft’s lack of support for legacy technologies” and shows a “disregard of basic security best practices.”

If Microsoft continues its current operations without providing further support for its legacy systems, Zaitsev said, the company and its customers “will continue to fall prey to aggressive attacks from foreign adversaries and sophisticated criminal groups.”

“Microsoft’s security practices have major gaps for older OSes and legacy systems and lack the coverage required to stop today’s adversaries,” he said. “Despite vague allusions to applying more rigorous security standards to their own legacy tech, history and their actions have shown that they continue to prioritize profits by pushing customers to upgrade rather than make the necessary investments.”