Weak Security Leaves Microsoft Exposed: Russian Espionage Continues

In January 2024, the Midnight Blizzard hacker group infiltrated Microsoft's corporate email system. To achieve their goal, the attackers used the Password Spraying* technique, which allowed them to gain access to an old test account without multi-factor authentication. This account had elevated privileges, giving attackers access to sensitive corporate information.

*Password Spraying is a kind of brute force attack aimed at compromising accounts with weak or easily guessed passwords. To begin with, an attacker creates a list of potential usernames and then tries to log in under those usernames using the same password. Password Spraying is more difficult to detect than the usual Brute Force because each account is tried to log in only 1-2 times, not 100,000.

In March, Microsoft discovered that Midnight Blizzard was using stolen secrets to access internal systems and source code repositories. The company assures that the attackers did not touch any client infrastructure.

Amit Yoran, CEO of Tenable, commented:
“Midnight Blizzard isn’t some small-time criminal gang. They are a highly professional, Russian-backed outfit that fully understands the value of the data they’ve exposed and how to best use it to inflict maximum harm. Given Russia’s relationship with China and other strategic adversaries, the consequences get very troubling very quickly.

Microsoft’s ubiquity requires much more responsibility and transparency than they’ve consistently shown. Even now, they’re not sharing the whole truth – for instance, we don’t yet know which source code has been compromised. We should all be furious that this keeps happening. These breaches aren’t isolated from each other, and Microsoft’s shady security practices and misleading statements purposely obfuscate the whole truth.”

The following conclusions can be drawn from Microsoft's mistakes — it is necessary to:  ● Implement multi-factor authentication for all accounts; compromise of one account = compromise of an entire organization. ● Monitor an abnormal number of login attempts both in one account and several at once. ● Balance account lockout policy after a series of failed login attempts. The number of login attempts to block an account should be sufficient for users but not for hackers. ● Strictly monitor domain accounts, namely detect: ● Inactive accounts ● Accounts with redundant privileges ● Accounts with insufficiently strong passwords An example of a product that meets these requirements is Tenable Identity Exposure.

Source: https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Demonstration of detecting a Microsoft attack chain with Trellix XDR: https://www.trellix.com/blogs/research/midnight-blizzard-attack-detection-in-trellix-helix/  

It's Time to Update!

Microsoft
March Patch Tuesday fixes 64 vulnerabilities, including 2 critical ones. It's a smaller release compared to previous months. No vulnerabilities are currently listed as exploited, but this could change. 
Interesting Fixes: ● CVE-2024-21407: Allows attackers to execute code on a Windows Hyper-V host machine from a guest OS. ● CVE-2024-21334: A remote code execution vulnerability in Open Management Infrastructure (OMI) with the highest CVSS rating in this patch. ● CVE-2024-26198: A remote code execution bug in Microsoft Exchange Server. ● CVE-2024-21400: An attacker can potentially take over confidential guests and containers in Azure Kubernetes Service. ● Tampering bug in Windows compressed folders (attacker can potentially alter file contents). ● Multiple elevation of privilege vulnerabilities (mostly requiring local access). ● Security Feature Bypass vulnerabilities including one that can prevent Windows Defender from starting. ● Information disclosure bugs including one that allows attackers to view private files in Teams for Android. 
https://msrc.microsoft.com/update-guide/releaseNote/2024-Mar
Apple
Apple released an urgent iOS update to address two critical vulnerabilities (CVE-2024-23225, CVE-2024-23296) that attackers exploited in targeted attacks. These vulnerabilities could potentially enable spyware installation. This is part of a larger trend of increasing zero-day vulnerabilities affecting Apple devices in 2024. Users of various iPhones, iPads, and iPods should update to iOS 17.4, iPadOS 17.4, iOS 16.7.6, or iPadOS 16.7.6 immediately. While Apple remains tight-lipped about the attackers and the specific attacks, they strongly advise users to update their devices for protection. 
https://support.apple.com/en-us/HT214081 
Adobe
This month, Adobe released six patches that address 56 vulnerabilities in: ● Adobe Experience Manager ● Premiere Pro ● ColdFusion ● Adobe Bridge ● Lightroom ● Adobe Animate 
The most vulnerabilities were found in Experience Manager — 44 CVEs. At the time of publication of the updates, none of the fixed vulnerabilities were listed in the database of actively exploited ones. https://helpx.adobe.com/ua/security.html
VMware
VMware has released updates for ESXi, Workstation and Fusion that fix 4 vulnerabilities, 2 of which are critical — CVE-2024-22252 and CVE-2024-22253 with grades 9.3 CRITICAL. They can allow an attacker with local administrator privileges on the virtual machine to execute code on the host system. 
https://www.vmware.com/security/advisories.html