Midnight Blizzard Attack on Microsoft

Summary

This documentation is about who Midnight Blizzard is and with which steps they were able to successfully attack Microsoft.

Who is Midnight Blizzard?

Midnight Blizzard is known under many different names, including Nobelium, APT29 and Cozy Bear. It is a state-sponsored Russian threat hacker group that emerged in the 2010s, where they often engaged in campaigns targeting diplomatic and political intelligence collection. The group was involved in many different attacks including:

* Democratic National Committee cyber attacks
* SUNBURST: attack on SolarWinds
* attack on Hewlett Packard Enterprise
* attack on TeamViewer 
* attack on Microsoft

Which strategies where used?

• Password spraying
• attacking a legacy, non-production test tenant account
• OAuth Application abuse
• Privilege Escalation Manoeuvres

The Breach Mechanics: Step by Step

The attack targeted Microsoft’s Entra ID environment. Microsoft Entra ID is a cloud-based identity and access management solution. It provides users with a single sign-on experience regardless of whether their applications are cloud or on-premises-based.

Step 1: Initial Access

The attacker group decided to target a non-production test tenant, because security protocols might not be as stringent as in production environments. Test environments are often overlooked in security operations, making them more vulnerable to attacks. The attaced test tenant of Microsoft's environment didn´t use Multi-Factor Authentication and used a weak password and therefore was vulnerable. For attacking the client the password spraying method was used.

What is password spraying

Password spraying is a form of brute-force attack. The attacker trys to use the same password on multiple accounts before moving on to try another password. This method is particularly effective against accounts lacking robust security measures like Multi-Factor Authentication (MFA).

The attaced application was a legacy test OAuth application that had elevated access to the Microsoft corporate environment.

Step 2: Privilege Escalation

The attackers acquired an access token using the credentials of the compromised OAuth test application. This token provided access to the corporate tenant, leveraging previously granted elevated permissions. The problem here was that the legacy OAuth test application was granted too high priviledges.

With those permissions and the access token they were able to created a new user account to grant consent in the Microsoft corporate environment. They were able to assign the newly created user a Global Administrator role. The creation of the new user automatically led to the creation of a Service Principal for each malicious app registration within Microsoft's corporate tenant.

Step 3: Embedding multiple backdors

The attackers created additional OAuth applications, which might be a strategy to embed multiple backdoors within the environment and thus complicate detection and eradication efforts, ensuring persistent access for the attackers. With this strategy they ensured that they had multiple access points, so that even if one application is discovered and neutralized, others can still be used for malicious activity.

Step 4: Granting Extensive Permissions

The newly created OAuth applications were granted really high permissions, which allow extensive access and privileges to Office 356 applications, among them the access to target mailboxes.

Step 5: Information collection

With this, they were able to access any mailbox within the corporate tenant, thus effectively compromising the confidentiality of the internal communications of Microsoft.

Mitigation

   * Implement Multi-Factor Authentication (MFA)
   * Ensure test environments have the same security standards as production environments  
   * Monitor and Audit Permissions: use principle of least privilege (limiting access to the minimum necessary to perform job functions)
   * Secure and Monitor App Registrations: control the creation and management of OAuth applications, implement approval processes 
   * Implement Anomaly Detection and Behavioral Analytics to detect unusual activities that could indicate an attack
   * Update or replace legacy systems 

References

• https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
• https://www.mitiga.io/blog/microsoft-breach-by-midnight-blizzard-apt29-what-happened-and-what-now
• https://en.wikipedia.org/wiki/Cozy_Bear
• https://www.forbes.com/sites/jamesfarrell/2024/03/08/who-is-midnight-blizzard-russian-linked-group-has-repeatedly-targeted-microsoft-company-says/
• https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practices
• https://www.heise.de/news/Russische-Angreifer-klauen-Quellcode-von-Microsoft-9650468.html
• https://www.coretocloud.co.uk/unraveling-the-midnight-blizzard-attack-on-microsoft/