Key takeaways from the Midnight Blizzard Attacks

April 1, 2024
Evolving cybersecurity threats require resources to reduce an organization’s attack surface and their identity attack surface

No organization is immune to cyber threats, and the recent Midnight Blizzard attacks on Microsoft prove just that. Phishing attacks against major organizations will continue to prevail, and we can only expect threat actors to get more sophisticated and inconspicuous in the artificial intelligence (AI) era.

The attack on Microsoft was coordinated by Midnight Blizzard, a threat group affiliated with Russia's Foreign Intelligence Service—formerly known as Nobelium. According to Microsoft’s statement, the attacks were accomplished using a password-spraying method to gain access to a test account; once proven successful, this led to the compromise of corporate email accounts, including those that belonged to senior leadership. From there, the hackers were able to exfiltrate account identities to access emails and attached documents. The breach is said to have occurred in November 2023; however, Microsoft did not detect it until months later.

Identity continues to be the most used attack method and weakest link in everyday security postures. Every organization needs to reevaluate and evolve its cybersecurity strategies to keep pace with the sophisticated tactics employed by nation-state actors and keep a hyper-focus on identity. In fact, 83% of organizations have experienced data breaches involving compromised credentials, and 65% haven’t implemented multi-factor authentication (MFA) where it matters.

Identity continues to be the most used attack method and weakest link in everyday security postures.

The tactics of Midnight Blizzard initiated through a password spray attack on a legacy, non-production test tenant, underscores several critical areas for immediate action and reflection within organizations' everyday cybersecurity practices.

Improving Cybersecurity in the Enterprise

Gaps in an organization's identity security posture continue to expose its IT infrastructure and make it easy for bad actors to gain access—essentially walking through an unlocked back door. Threat actors will continue to capitalize on this cybersecurity gap as it’s relatively easy to escalate privilege and move laterally throughout an organization without triggering alerts—just like we saw with Midnight Blizzard.

Security teams must evaluate and enhance current security measures to best protect their data, employees, and attack surfaces. Three ways to do this include:

  1. Pay attention to MFA: While Microsoft now enforces MFA by default to bolster security, the Midnight Blizzard attack accentuates the need for organizations to meticulously review all existing tenants, including older ones, to ensure MFA protection is everywhere. It’s a stark reminder that legacy systems and configurations can provide inadvertent entry points for attackers, making it imperative that we extend modern security measures retrospectively across all digital assets.
  2. Test tenant over privileges: Recent Silverfort data found that 7% of user accounts inadvertently hold admin-level access privileges. A critical lapse identified in the attack was the excessive permissions granted to a test tenant, which allowed access to Microsoft’s corporate environment. Stringent monitoring and restriction of permissions for OAuth apps and other integrations within both production and non-production environments is vital for all organizations. Ensuring that test tenants adhere to the principle of least privilege and are segregated from production systems can also be a make or break when minimizing the risk of such vulnerabilities.
  3. Continue phishing education: Every organization, regardless of size or industry, can be subject to a breach. Seeing that business emails of such “security-aware” companies can be compromised, in the case of Microsoft, is a reminder that email addresses cannot be the sole proof of authenticity—even if it is a legitimate-looking email or sent from a trusted company. Regardless of level or time in the role, organizations need to conduct regular security training to ensure all employees are up to date on the proper procedures. These training sessions should include details on avoiding entering personal credentials when clicking on email links or opening files without verifying the sender. Alternatively, you can open the files in a sandbox.

The Future of the Identity Attack Surface

It is impossible to say that an organization can 100% stop cyber attackers, but there are things teams can do now to reduce their attack surface and, more specifically, their identity attack surface. Recent breaches, beyond just the Midnight Blizzard attacks, show the detrimental impact of the identity attack surface—look back at SolarWinds, U.S. OPM, and Marriott, for example. We’ve seen repeatedly where traditional MFA fails. With so many options for gaining initial network access, organizations must go beyond traditional MFA and endpoint security and use identity protection methods that focus on stopping lateral movement and closing the backdoor for attackers.

Gaps in an organization's identity security posture continue to expose its IT infrastructure and make it easy for bad actors to gain access—essentially walking through an unlocked back door.

Many free tools are entering the market to address these identity concerns. For example, there is an open-source tool that helps security teams uncover lateral movement attacks, called LATMA. The tool works by using a series of algorithms to identify all suspicious movements in an environment – collecting authentication traffic from the Active Directory (AD) environments. By understanding what is included in an attack surface and how far it spans, teams can have a clearer picture of their defense gaps and begin investing in the right technology to protect the organization. Teams need to be able to review not only active threats and potential vulnerabilities but also reflect and look at the wider industry to see how they can better defend against tomorrow’s new technology.

The security industry puts plenty of time, resources, and money into detecting malware and removing malicious software; it's time to put that same investment and dedicated resources to spot and stop lateral movement and better secure identities.

Yaron Fishkin is co-founder and CTO of Silverfort, where he has worked for eight years. Previously, he was a data science consultant for Cisco and has also worked as a software development engineer at Microsoft. He holds a PhD in computer science from the Israel Institute of Technology.