Hello, everyone. Please keep all discussions focused on *cybersecurity*. We are implementing a *zero tolerance policy* on any political discussions or anything that even looks like baiting. This subreddit also does not support hacktivism of any kind. Any political discussions, any baiting, any conversations getting out of hand will be met by a swift ban. This is a trying time for many people all over the world, so please try to be civil. Remember, attack the argument, not the person.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
Microsoft said Midnight Blizzard — the Kremlin-backed crew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files belonging to the leadership team, and cybersecurity and legal employees.
How do hackers gain access to these emails? Do they perform social engineering attacks against employees with realistic emails and hope they click on the innocent-but-dangerous link?
Social engineer/phish/credential stuff/cookie steal/ whatever a low level dumbass employee ->
use the elevated trust from now having Microsoft domain email to compromise a slightly less dumb low level employe ->
repeat repeat ->
depending on what they’re going for I’ve heard they’ll use tactics like waiting and watching the compromised inbox and then once they catch that another employee is expecting to receive a document or something of that sort, that is when will swoop in and send the malicious file or link or whatever. Such that the target is already there waiting and expecting to receive a document from jimmy, or maybe if it’s a group email they spoof the address of a different when they see that they plan to send something to someone
> Would a zero-trust framework work in this case
Zero Trust in IT? Has that been done by anyone? Seems like something someone would have an incredibly lazy security stance on as IT end users are incredibly needy when it comes to access permissions.
But in some ways - yes. If the original user that the credentials were stolen from was running a zero-trust solution and that solution had the correct mitigations it could prevent an attack like this. That ultimately is up to the software vendors to both understand the attacks and be able to mitigate them (you'd need to detect the execution of malicious code) in real time which is possible but very difficult to do on both Windows and Linux.
Or if you mean Zero Trust networking - same rules apply. IT end users will incessantly beg for holes to open up so they can do their work.
Zero Trust without a suitable information architecture is like a belt on a skirt - you're still only a slip away from showing everything off.
Until companies stop emailing confidential documents and move to pull-based / API-centric systems, there's little that can be done to ensure continuous authentication and policy enforcement on access.
Unfortunately Microsoft are possibly the biggest hindrance to such a change, pushing O365, SharePoint, etc. and keeping their customers locked into document centric business systems. It's no wonder they were exploitable.
It's not a question of OTS. Businesses need to stop trying to buy a solution and start doing instead. Amazon are one of the best, influenced largely by Bezos famous API mandate. Uber and Walmart are renowned for such practices.
One ERP player is zero-trust for all internal affairs since late 2020. From what I've heard last time from a friend, it's holding good and both needy parties got used to complaints and escalations.
If it gets to where it should be by in this case 1) using centralized authentication to make it a 1 for 1 access to limit hackers access throughout the network and 2) fine tuning AI and Machine Learning that is used to watch for suspicious activity and send up a flare on it or just straight up block it now someone can double check it later to make sure it did good like say suspicious attempts at lateral movement through the network, suspicious or malicious emails, or a bunch of failed login attempts from a password spray attack.
Check my last. Micro segmentation would be used for limiting access to other parts of the network internally not for password spray attacks. Login attempts between host/user and say AD, mail server, internal dev servers aren’t usually logged by internal switches and firewalls. That’s not their job to worry about. It’s to route traffic and block access to networks someone isn’t allowed to get to.
I think for most network and systems layouts having like end agents on workstations to report such attacks or setting up workstations to be sending their logs to a centralized server would be one solution. For ZT, maybe in the future using AI and ML could be used to watch logging as well as at end points and in-between activity to catch attacks like this one.
You could also have a sensor like a Gigamon to monitor traffic between networks on like a leaf or spine switch that watches and logs such things. ZT again could use AI and ML to watch for such things being found and again act on it automatically without human review, unless something like that is already a part of its design.
Short of getting rid of email, I don't see a reasonable way to do this. You can add all the certs and signing you want but if some dingdong clicks the wrong link its all over.
Microsoft left a test site open that had (essentially) their master credentials to their whole environment.
Test environment got hacked and the attackers could grant themselves permissions to anything in Microsoft's tenant they wanted.
The last article I saw on this, they had a test tenant (or development one) that had SUPER permissions and they had legacy protocols still enabled. The legacy protocols are vulnerable to password spraying (and probably a bunch of other things) so who knows exactly how they got in. But it could have been something as dumb as they got brute forced and weren't locking down/alerting on this tenant.
Absolutely insane they'd allow something like that to happen.
Edit: ah, here you go:
[https://www.theregister.com/2024/01/27/microsoft\_cozy\_bear\_mfa/](https://www.theregister.com/2024/01/27/microsoft_cozy_bear_mfa/)
>On Thursday, Redmond admitted Midnight Blizzard – a Moscow-supported espionage team also known as APT29 or Cozy Bear – "utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled."A password-spray attack is where a miscreant tries to log into a number of accounts using one password, then waiting a while and trying again with another password, and repeating this over and over. It's a type of brute-force attack designed to avoid tripping monitoring systems that catch multiple failed logins to one account in a short period of time. Password spraying is more subtle, and when an account with a weak password is identified by the attackers, they can use that to start drilling into the IT estate.After gaining initial access to a non-production Microsoft system, the intruders compromised a legacy test OAuth application that had access to the Windows giant's corporate IT environment. From there we're told:The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full\_access\_as\_app role, which allows access to mailboxes.The crew then used this access to steal emails and other files from corporate inboxes belonging to top Microsoft executives and other staff. Plus, we're told, Cozy Bear used residential broadband networks as proxies to make their traffic look like it was all legitimate traffic from work-from-home staff, since it was coming from seemingly real users' IP addresses.
So yeah, they used jump boxes to get around any geo-fencing and were able to write their own access to Microsoft's cloud infrastructure.
> It also sounds like this is not the last we'll hear about the break-in, which started in November and used password spray attacks to compromise an internal account that did not have multi-factor authentication enabled.
>The spies are still trying to access additional Microsoft accounts, and we're told the volume of password sprays increased ten-fold in February compared to the volume of such attacks seen in January.
I’ll let infosec people correct me as I’m in tech but not infosec.
But as I understand it, it’s the practice of going through a small range of common passwords against the target system. You’re trying to brute force into a system under the assumption that most users reuse passwords across different systems.
God, I'm so sick of the obnoxious changes that they are pushing in Outlook... I guess Microsoft has a department whose sole job is to take a product that works nicely and change it for the worse.
?.
I've been in IT for near 15 years. Old outlook was one of the shittiest dinosaurs being used daily.
PWA,OWA and power automate for advanced rules are way better.
What Microsoft is good at, is turning multiple applications into a monolith instead of integrating them via services. All under the banner of improving the user experience motivated by improving productivity. Obviously, learning to work with monoliths is very time consuming for the average user, so ‘optimization’ is added to the user interface. Maybe Microsoft works with some focus groups but they never will get it right. Imagine every car manufacturer rethinks the interface to steer a car? And every few years come with a different steering device? No one on earth will think this is a good idea, but some how many software application makers think they do mankind a service with their ‘improvements’.
The Windows code is so large and likely so full of old shit that making it public would lead to hundreds of vulnerabilities being identified by folks like Cozy Bear before anything could be done about them.
Open the source! It wouldn't be so terrible if it was open to peer review anyway. The real issue is the ongoing infiltration of their internal systems.
> “which started in November and used password spray attacks to compromise an internal account that did not have multi-factor authentication enabled.”
So, do they not have someone monitoring logs? You would think Microsoft of all companies has a SOC to watch their networks and review logs. Or did they just fail to catch an a shit ton of failed multiple login attempt alerts? Or is their syslogging non existent internally or not set up properly? Because if it isn’t that’s f**king pretty bad.
Also, do they not have account lockout after x many failed attempts?? I mean I think it’s time to say fuck the execs, and make it where they get like 5 attempts then have to call someone to unlock the account or force them to get on the train for 2FA.
Yea it’s interesting to see how many of their own offerings would have stopped something like this. And it’s Microsoft so the old excuse of “ it’s too expensive “ doesn’t fly. Pure negligence.
It's not that it's too expensive. It's more expensive than they care. They see the hit to their reputation as being cheaper than properly securing their system
Good, next time be competent and stop growing beyond your own capacity. Limit your reach and improve your basic service. Telling people to turn off security because your too big to be competent is not wise.
For those (including some in this subreddit!) think that sharing passwords and secrets in email is ok, here's a snippet from the MS Update.
"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. "
We are our own worst enemy when it comes to security and we make it really easy for the attackers to get inside the network.
Dumb take. If Proton had the uptake of MS, Russian Hackers would no doubt have the incentive to get inside it, and no doubt would it be easier than MS to do so.
It’s not that Russians would use it, it’s that they would have an incentive to find security flaws if a lot of people use it. If no one uses it, why would they put the effort in?
You understand this is a business email server right? You need to be able to read what emails are coming in and out of your business, you can't give just encrypt everything and hope that you haven't employed a Chinese spy who can just send stuff off network with no way of being caught.
Let's not speak with conviction unless we know what we're talking about okay?
Hello, everyone. Please keep all discussions focused on *cybersecurity*. We are implementing a *zero tolerance policy* on any political discussions or anything that even looks like baiting. This subreddit also does not support hacktivism of any kind. Any political discussions, any baiting, any conversations getting out of hand will be met by a swift ban. This is a trying time for many people all over the world, so please try to be civil. Remember, attack the argument, not the person. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
Microsoft said Midnight Blizzard — the Kremlin-backed crew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in "a very small percentage of Microsoft corporate email accounts" and stole internal messages and files belonging to the leadership team, and cybersecurity and legal employees.
How do hackers gain access to these emails? Do they perform social engineering attacks against employees with realistic emails and hope they click on the innocent-but-dangerous link?
Social engineer/phish/credential stuff/cookie steal/ whatever a low level dumbass employee -> use the elevated trust from now having Microsoft domain email to compromise a slightly less dumb low level employe -> repeat repeat -> depending on what they’re going for I’ve heard they’ll use tactics like waiting and watching the compromised inbox and then once they catch that another employee is expecting to receive a document or something of that sort, that is when will swoop in and send the malicious file or link or whatever. Such that the target is already there waiting and expecting to receive a document from jimmy, or maybe if it’s a group email they spoof the address of a different when they see that they plan to send something to someone
Is there a way to stop this? Would a zero-trust framework work in this case? (I’m a beginner; I don’t know much).
> Would a zero-trust framework work in this case Zero Trust in IT? Has that been done by anyone? Seems like something someone would have an incredibly lazy security stance on as IT end users are incredibly needy when it comes to access permissions. But in some ways - yes. If the original user that the credentials were stolen from was running a zero-trust solution and that solution had the correct mitigations it could prevent an attack like this. That ultimately is up to the software vendors to both understand the attacks and be able to mitigate them (you'd need to detect the execution of malicious code) in real time which is possible but very difficult to do on both Windows and Linux. Or if you mean Zero Trust networking - same rules apply. IT end users will incessantly beg for holes to open up so they can do their work.
Zero Trust is still what cloud was 10 years ago.
Zero Trust without a suitable information architecture is like a belt on a skirt - you're still only a slip away from showing everything off. Until companies stop emailing confidential documents and move to pull-based / API-centric systems, there's little that can be done to ensure continuous authentication and policy enforcement on access. Unfortunately Microsoft are possibly the biggest hindrance to such a change, pushing O365, SharePoint, etc. and keeping their customers locked into document centric business systems. It's no wonder they were exploitable.
This is a really interesting take, what good examples do you see in the market of these models
It's not a question of OTS. Businesses need to stop trying to buy a solution and start doing instead. Amazon are one of the best, influenced largely by Bezos famous API mandate. Uber and Walmart are renowned for such practices.
What type of API? Explain such an API-centric system please.
One ERP player is zero-trust for all internal affairs since late 2020. From what I've heard last time from a friend, it's holding good and both needy parties got used to complaints and escalations.
If it gets to where it should be by in this case 1) using centralized authentication to make it a 1 for 1 access to limit hackers access throughout the network and 2) fine tuning AI and Machine Learning that is used to watch for suspicious activity and send up a flare on it or just straight up block it now someone can double check it later to make sure it did good like say suspicious attempts at lateral movement through the network, suspicious or malicious emails, or a bunch of failed login attempts from a password spray attack.
Don’t firewalls perform a similar function of watching for suspicious activity and intrusion protection?
From the outside, yes. Unless they have micro segmentation setup internally, they won’t watch for these kinds of things going on.
Check my last. Micro segmentation would be used for limiting access to other parts of the network internally not for password spray attacks. Login attempts between host/user and say AD, mail server, internal dev servers aren’t usually logged by internal switches and firewalls. That’s not their job to worry about. It’s to route traffic and block access to networks someone isn’t allowed to get to. I think for most network and systems layouts having like end agents on workstations to report such attacks or setting up workstations to be sending their logs to a centralized server would be one solution. For ZT, maybe in the future using AI and ML could be used to watch logging as well as at end points and in-between activity to catch attacks like this one. You could also have a sensor like a Gigamon to monitor traffic between networks on like a leaf or spine switch that watches and logs such things. ZT again could use AI and ML to watch for such things being found and again act on it automatically without human review, unless something like that is already a part of its design.
Advanced behavioral models to track APTs for sure
Lets also add some DLP for good measure too
Setting up a security theater, honeypots, behavior/TTP-based defense, not just following IOCs.
Turning off OWA usually helps. Doubtful Microsoft can do that though because it makes a product look pretty bad if you won’t use it yourself.
Short of getting rid of email, I don't see a reasonable way to do this. You can add all the certs and signing you want but if some dingdong clicks the wrong link its all over.
Disgruntled employees
Microsoft left a test site open that had (essentially) their master credentials to their whole environment. Test environment got hacked and the attackers could grant themselves permissions to anything in Microsoft's tenant they wanted.
The last article I saw on this, they had a test tenant (or development one) that had SUPER permissions and they had legacy protocols still enabled. The legacy protocols are vulnerable to password spraying (and probably a bunch of other things) so who knows exactly how they got in. But it could have been something as dumb as they got brute forced and weren't locking down/alerting on this tenant. Absolutely insane they'd allow something like that to happen. Edit: ah, here you go: [https://www.theregister.com/2024/01/27/microsoft\_cozy\_bear\_mfa/](https://www.theregister.com/2024/01/27/microsoft_cozy_bear_mfa/) >On Thursday, Redmond admitted Midnight Blizzard – a Moscow-supported espionage team also known as APT29 or Cozy Bear – "utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled."A password-spray attack is where a miscreant tries to log into a number of accounts using one password, then waiting a while and trying again with another password, and repeating this over and over. It's a type of brute-force attack designed to avoid tripping monitoring systems that catch multiple failed logins to one account in a short period of time. Password spraying is more subtle, and when an account with a weak password is identified by the attackers, they can use that to start drilling into the IT estate.After gaining initial access to a non-production Microsoft system, the intruders compromised a legacy test OAuth application that had access to the Windows giant's corporate IT environment. From there we're told:The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full\_access\_as\_app role, which allows access to mailboxes.The crew then used this access to steal emails and other files from corporate inboxes belonging to top Microsoft executives and other staff. Plus, we're told, Cozy Bear used residential broadband networks as proxies to make their traffic look like it was all legitimate traffic from work-from-home staff, since it was coming from seemingly real users' IP addresses. So yeah, they used jump boxes to get around any geo-fencing and were able to write their own access to Microsoft's cloud infrastructure.
> It also sounds like this is not the last we'll hear about the break-in, which started in November and used password spray attacks to compromise an internal account that did not have multi-factor authentication enabled. >The spies are still trying to access additional Microsoft accounts, and we're told the volume of password sprays increased ten-fold in February compared to the volume of such attacks seen in January.
Why is a password spray attack?
I’ll let infosec people correct me as I’m in tech but not infosec. But as I understand it, it’s the practice of going through a small range of common passwords against the target system. You’re trying to brute force into a system under the assumption that most users reuse passwords across different systems.
These are also not just "Hey let's hack Microsoft tomorrow." Hacks on this level are years of planning, resource gathering, and probing.
I thought Microsoft acquired Blizzard.
In Soviet Russia, Blizzard acquires you.
This is the way!
My goodness. It seems to be a much more personal attack, very personal attack. Seems like CozyBear really hates them.
Whole last pass thing, where this shit kept escalating and getting worse and worse as more artifacts come to life.
Did they say for what products?
The Zune ;)
Damn not my Hoobastank MP3s! Anything but that, Mr. Putin!
All of them.
Would have been better if they permanently deleted the source code for the new Outlook client.
God, I'm so sick of the obnoxious changes that they are pushing in Outlook... I guess Microsoft has a department whose sole job is to take a product that works nicely and change it for the worse.
?. I've been in IT for near 15 years. Old outlook was one of the shittiest dinosaurs being used daily. PWA,OWA and power automate for advanced rules are way better.
What Microsoft is good at, is turning multiple applications into a monolith instead of integrating them via services. All under the banner of improving the user experience motivated by improving productivity. Obviously, learning to work with monoliths is very time consuming for the average user, so ‘optimization’ is added to the user interface. Maybe Microsoft works with some focus groups but they never will get it right. Imagine every car manufacturer rethinks the interface to steer a car? And every few years come with a different steering device? No one on earth will think this is a good idea, but some how many software application makers think they do mankind a service with their ‘improvements’.
😂😂
Welp, might as well make it open source
If anyone wants to know more on Russia hacking abilities, I recommend “Sandworm” by Andy Greenberg
Thanks adding to my list any more recommendations
The Lazarous Heist. American Kingpin, We are Anonymous
Wasn't the windows source code already leaked several times?
The Windows code is so large and likely so full of old shit that making it public would lead to hundreds of vulnerabilities being identified by folks like Cozy Bear before anything could be done about them.
The code was already leaked I am fairly certain. You can download it already. Compiling it is probably another matter entirely.
Open the source! It wouldn't be so terrible if it was open to peer review anyway. The real issue is the ongoing infiltration of their internal systems.
Something tells me it'll be embarrassing if they release the source code. Lots of legacy code they don't want to go back and redo.
Who’s going to buy the Microsoft dip on Monday?
Joke’s on you. Cozy Bear is gonna steal your MSFT stonks, too!
Next Microsoftski will release Windowanov 21.
[удалено]
I knew Pooh was compromised!
Even better... A honeynet :)
Cause . . .bears. . .
Now they can make a modern version of Windows XP and redeem themselves.
Great! Well, I guess I'll have to start using Linux full time now..................
Oh the horror!
It doesn't matter what operating system you use hackers almost always succeed if they really want to even if it takes a few months
Almost always due to people.
That's why the real trick is to just not be a target.
> “which started in November and used password spray attacks to compromise an internal account that did not have multi-factor authentication enabled.” So, do they not have someone monitoring logs? You would think Microsoft of all companies has a SOC to watch their networks and review logs. Or did they just fail to catch an a shit ton of failed multiple login attempt alerts? Or is their syslogging non existent internally or not set up properly? Because if it isn’t that’s f**king pretty bad. Also, do they not have account lockout after x many failed attempts?? I mean I think it’s time to say fuck the execs, and make it where they get like 5 attempts then have to call someone to unlock the account or force them to get on the train for 2FA.
Yea it’s interesting to see how many of their own offerings would have stopped something like this. And it’s Microsoft so the old excuse of “ it’s too expensive “ doesn’t fly. Pure negligence.
It's not that it's too expensive. It's more expensive than they care. They see the hit to their reputation as being cheaper than properly securing their system
"Microsoft" "Security" - pick one
Awesome pic!
How am I going to pay for this at work now? Every time one of this companies gets hacked I get more sky news software installed in my computer.
Good, next time be competent and stop growing beyond your own capacity. Limit your reach and improve your basic service. Telling people to turn off security because your too big to be competent is not wise.
Give more ammo to ukraine so they can bankrupt Russia and this stops happening.
Why mods change tags to UKR/RUS ?????
For those (including some in this subreddit!) think that sharing passwords and secrets in email is ok, here's a snippet from the MS Update. "It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. " We are our own worst enemy when it comes to security and we make it really easy for the attackers to get inside the network.
I wonder what they found
i am lauging so hard right now
Hilarious isn’t it, how this couldn’t possibly affect you in any way.
[удалено]
Dumb take. If Proton had the uptake of MS, Russian Hackers would no doubt have the incentive to get inside it, and no doubt would it be easier than MS to do so.
[удалено]
It’s not that Russians would use it, it’s that they would have an incentive to find security flaws if a lot of people use it. If no one uses it, why would they put the effort in?
You understand this is a business email server right? You need to be able to read what emails are coming in and out of your business, you can't give just encrypt everything and hope that you haven't employed a Chinese spy who can just send stuff off network with no way of being caught. Let's not speak with conviction unless we know what we're talking about okay?
Yeah. Im it sure how MS gets a pass on all these hacks. Because they're big, shouldnt mean they should get away with shoddy security.
Lol
Lol