"We were pwned by the Russians (again) and they were reading all of Satya's emails, but it's okay, they were just looking for shout-outs to post in their interoffice Telegram channel for the lulz."
I understand that the company has to minimize every breach but this frankly looks a lot more serious than Microsoft suggests here.
... a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.
Yeah, at least they make a very small percentage of all Microsoft employees I guess
No, they are not. Production systems are the systems that are producing money. If they stop running for an hour, it directly costs the company money through SLA penalties, etc. If the internal email server goes down for an hour, it might cause some employee productivity loss, depending on the timing.
If my coffee machine suddenly stopped working it would definitely have a detrimental effect on production. I can guarantee you that :)
But in general I would say routine janitorial maintenance issues don't have quite the same potential to affect production as Russian criminals reading the email of Microsoft's cybersecurity team.
The only defintion that matters is the practical definition that most people would think of, not what the “book” says. Whenever someone tells me “production is down” I think that customers are screwed. If they told me our internal email servers are down, I would smack them in the head cause my stress levels went up for nothing. Internal servers is not production.
But we're not talking about a service outage. In the context of an outage at a service provider I might agree with you.
In this instance, a system used by the cybersecurity team to do its actual job was breached - not some development or testing server.
We don't know what it was exactly that these attackers were looking for or what they found. But it is absolutely possible that the information they gained enables them to protect an ongoing or future attack against Microsoft's customers.
I think I disagree but we might be in agreement based on your thoughts… internal servers that are in the path of data pipelines that customers need are also production. For example, let’s say you have a warehouse and there is some way to manage inventory in there. No customer goes into Microsoft dynamics themselves. However, this Microsoft dynamics is production because our customers rely on the data this provides.
It doesn’t matter to customers if Microsoft teams is down and we are talking to each other internally using iMessage and signal but anything that is in the data path is production.
I’m going to take a wild guess here and say you don’t really run any kind of system. “Internal is not production” is the weirdest statement I have heard in a long time.
Of course these systems are production. Not only production, but _P1_ level production.
No. Whether or not a system runs in production as opposed to a testing/development environment is not a question of who is writing a blog post.
Microsoft produces software and services. The communications of their CEO as well as their cybersecurity and legal teams is part of that overall production process.
I love how they emphasize only few were exposed. Like just a few, only our senior staff and cybersecurity team... I mean -- they aren't lying, but... Wow
1% of 238,000 employees is a "very small percentage" and still 2,380 employees. Insight into certain operational information and potentially undisclosed/unpatched zero days could be monumentally valuable to a nation state actor.
I wonder, is it any different, if it's not just average "you", but CEO? Don't they have additional security measures? May be not, I think Jeff Bezo's WhatsApp was hacked few years ago...
Is there any basis for this group being "nation-state" or are they just trying to make themselves seem less incompetent by inflating the attackers' reputation?
And somehow it's always cross tenant issues for easy lateral movement, because Azure ASNs are always allowlisted specifically to bypass all kinds of filters.
Microsoft is pretty learning resistant lately. Always prioritize the spamming customers, I guess?
Not to downplay the severity but honestly, every breach I read about seems “serious” but very rarely does anything of consequence happen with these events.
Azure was owned pretty hard a while back, very little was ever heard of it again.
Is the drama of them appealing ? What might we expect to happen from this ? They’ve read Satya’s email ?
How do you know if nothing happens? It isn't like the people siphoning, selling, or purchasing this data are broadcasting their wins on news aggregators.
It makes the news when an entity like Microsoft gets cracked, but when their users get robbed or otherwise hurt as a consequence it will hardly make the news. You not knowing of the consequences doesn't mean they don't exist.
GP is clearly saying "this is important because small people will get hurt invisibly" and your hot take is that them being exploited isn't going to impact Microsoft's bottom line, so this isn't newsworthy?
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
It says nothing about users being compromised.
This is why they won’t do anything about it though ? Do you understand how it works ?
They’re not going to do anything about the consequences for the users until it impacts their profits.
Name one person who is done with Microsoft after this?
I think the confusion lies between the terms "consequences" and "consequences for Microsoft". There won't be consequences _for Microsoft_ but there will be consequences for regular people. Saying there won't be consequences full stop implies you don't consider the damage to regular people as worthy of discussion or consideration
> Azure was owned pretty hard a while back, very little was ever heard of it again.
From what I recall, it was a Chinese APT (designated as Storm-0558, which I think means they could not reliably attribute it to any group: https://malpedia.caad.fkie.fraunhofer.de/actor/storm-0558), that was sitting on developers’ workstations long enough to get access to master signing key from a memory dump that ended up on one of the workstations. They then used it to access US government officials’ emails (Department of State if I recall correctly), which supposedly gave China a strategic advantage and a better understanding of inner workings of US foreign policy.
You will not see it in news that China got favourable terms in some negotiations with a country in Africa (are of Chinese interests) and US got least favourable terms than they could’ve gotten because the Chinese negotiators knew something.
Microsoft filed this late today with the SEC[1] just before they stopped accepting new filings for the day under their new Cybersecurity Incident disclosure rule[2]. FWIW, two other publicly traded companies disclosed[3] their breaches since the rule went into affect last month.
Actually there has been more, e.g. LoanDepot, Inc [1], and then various amended 8-Ks. I’ve been hacking on a side project to parse the 8-K data which is all over the place, including some companies still reporting under old “items” like 8.01 vs the new 1.05 material cybersecurity incident item.
If folks are interested in this space, I just got the mailing list [2] running last night and you can see a list of all the current incidents on my Incident Tracker [3].
I have many more data points I plan on tracking as well as adding 10-K GRC items to the list (potentially helpful for CISOs, other risk managers and investors to eval a companies risk management maturity).
> Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts [...]
> The attack was not the result of a vulnerability in Microsoft products or services.
It’s technically correct but misleading: the products are not inherently flawed but their lack of MFA means the product wasn’t used in a secure configuration. I hope that this is held against them by regulators or in court because they’ve known and even advocated for FIDO-2/WebAuthn for years and there’s no excuse for not requiring them by policy.
My point is that if one can guess the password on a random test box and through that gain access to critical internal systems, you have lost the right to call your system "not vulnerable".
Well, your "legacy non production test tenant" can be opened by just guessing passwords, and it allows access to "very much in use production non-test" tenants, then you could say MS has a vulnerability. It may not be a buffer overflow, but it is a vulnerability nonetheless.
Yes, and I think most people would consider it a vulnerability if an authentication system doesn't rate-limit or otherwise slow/stop "password spray" attacks.
You can rate limit individual users but password spray attacks use a large number of accounts to remain undetected in a authentication system used by an even more users.
I suspect more corpos have exposure like this than any of them would like to admit. E.g.: BigCo picks up a company SmallCo, and inherits their systems for some time. There's some cruddy ancient CRM, IT or travel system, and some random test tenant, that has hooks to email, and from there it's a short step to enumerate targets, send auto-generated emails from a trusted system and the hackers are off to the races.
Yes, it can be an endless headache. A company I worked for had acquired a smaller company with some products and services that nicely complimented our own products and services. From the outside it was a good match and for the most part, the integration went well but they had been using Rational Clearcase for over two decades and absolutely didn't want to migrate to git and the rest of our tool suite. They had very little turnover in their IT department and things ran very well for them but higher ups wanted everyone integrated into a single system and the accounting folks wanted to stop paying fees for all the Rational stuff, especially since they hated dealing with IBM. Infosec had pretty much no knowledge of how to best secure anything on that side and the acquired company had nearly no infosec capabilities of their own. When I left, it was still a point of contention that didn't look to get resolved any time soon.
This is genuinely something I hadn't considered. A test tenant may have been in a more than ideal position to stage phishing attacks from. Hopefully this is the case, and not a more concerning lack of disclosure or shudder NSL situation.
I wouldn't put it passed them to straight up lie about the vector. How many have worked in these situations where some slick dicky worked up the word salad to make issues sound like non-issues?
Haha "...access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents."
Seems like a big deal. Also, this may be why I've been getting massive amounts of "unusual account sign-in activity" emails for Microsoft about an old outlook account i no longer use...
Hopefully these state actors can get access to my vsts server i no longer can find and deploy an old app for me ;)
Interesting that they seem to suggest that applying security is now more important than avoiding service disruptions. This may be the hopeful dawn of a new era.
I work in the security space. It is the dawn of an era where all the makers are stamped down under the boot ridiculous security theater via regulation for "security" and "protection" and the current interests become entrenched to ensure a couple of guys in their garage can no longer upset the behemoths of the tech space.
It is indeed the beginning of a new AI related era. But why cloud services, Microsoft? There is already a new infrastructure on the way better suited for AI, called edge computing. I'm not talking about completely eliminating cloud services. But solely depending on these kind of services could lead to further problems later due to this topic (national security) is very serious for all of us.
And all things considered, an AI security assistant like Copilot might be a good investment too, if they lack highly skilled front line security staff. Not to mention, AI generated automated playbooks in Sentinel to automatically apply Zero Trust principles!
I also wonder if they had upgraded all of their Subscriptions to Defender for Cloud CSPM Tier 2 in order to use the premium Cloud Security Attack Graph explorer, and then enabled Workload protections, this tragedy could have been averted.
It’s going to take an army of motivated sales engineers to protect against these new cybernetic attacks by augmented warfighters.
I wonder if they switched from user-based MFA to Conditional Access MFA yet, maybe they forgot to enable alerting for non-interactive logins. Maybe they forgot to update the Log Analytics Agent to the Azure Monitoring Agent. /s
It could be sort of neat if there was a convention for all news agencies and press rooms to queue up all their stories and release them after the end of the business day.
Why advantage parties that can process in less than 12 hours? Rushing analysis just makes it worse.
traditionally, the weekend gave even more time to sleep on it. modern near 24/7 trading makes that less of thing. back when the traders went home, there was a cooling off period. just like the circuit breakers to stop trading on big loss days to get the humans to stop and think for a second/minute/overnight. the high frequency trading doesn't have these emotions to cool down from, so it's still something that seems to be done on tradition now.
it's the custom because it's not just stock trading that they care about, it's brand/image, and weekends give the story time to disappear from the headlines, being replaced by new stories. Fewer people are paying attention to the news over the weekend.
having every western company use the garbage that are Microsoft's hosted products (notably Teams and Outlook) is a national security issue that's a massive disaster that's just waiting to happen
I agree around teams and outlook, but what is the alternative? Google? AWS? Self host? Honest question, because the way enterprise tends to work, they want to offload the responsibility to a third party so When information does leak or get hacked, they can blame someone else.
With self-hosting you get to use thing now considered legacy (e.g., IMAP servers), but I definitely have seen them working for organisations with thousands of employees. You’ll need staff to support it, too, but at some scale it will none be more expensive than cloud services. Yet, you’ll have more control over it.
OTOH, some things will definitely be less feature-rich, for example, on-prem Sharepoint (not that I recommend using it) may not live up to the expectations of users familiar with the online version.
> but what is the alternative? Google? AWS? Self host?
I mean, given this was possible:
> used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts
pretty much anything is going to be better than letting Microsoft host your email/corporate data
To be clear: I've never heard of any such thing. I happen to work for Google, but I'm open the possibility that this happened and I didn't hear about it.
The denominator is "Microsoft corporate email accounts." I interpret that as email accounts of the Microsoft organization (management, employees, and so on), but not customers.
It's pretty embarrassing and not very reassuring that they themselves got owned, but they wanted to tell their customers that they didn't.
This kind of attack can happen on any tech stack where bad passwords have ever been allowed. The dunking is obviously fun, but the fact that the underlying technology happened to be Microsoft’s is largely irrelevant.
Yeah, it’s just that less legacy conpanies have less chance of having a system that can be compromised in this way. Conversely, Microsoft is almost guaranteed to have it.
>Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts
I have so many questions from this sentence alone. What did they password spray? Microsoft's internal identity provider? Was the non-prod system internet facing? Why isn't MFA enforced?
I wonder which mail client the execs were using. If Outlook, their messages would be already harvested by 700+ companies[0] and another leak wouldn't be an issue.
Um. Why does "a legacy non-production test tenant account" have "permissions" for "email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions"?
Why do they say "nation state actor", isn't "state actor" the correct term? I thought Russia, like the UK and many other states, is a multinational state, including numerous languages and cultures.
I've always wondered why infosec people love this expression so much. Maybe "nation state" just sounds more impressive. Who cares what the state is composed of? Or is it "nation/state", one or the other?
And that definition doesn't describe the Russian Federation. There are many nations within Russia, ones you may have heard of are Bashkortostan (in the news this month due to protests) and Chechnya (civil wars in the 1990s). It is not a homogeneous federation.
Yeah I find this particularly funny with infosec because the usual state {level,funded,sanctioned} actors are Russia, Iran, and North Korea, of which only one is a nation state.
„compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.“
Does a non-production test account usually have permission to access email accounts of the senior leadership team? Is that a security best practice?
I'm wondering how many hacks like this must occur before companies start caring about hiring good developers with a proven individual record instead of those who can solve the most gimmicky puzzles in 30 minutes.
There are developers out there with excellent track records who have built bug-free solo projects which prove their excellence and yet can't find a job in this economy. Some of these developers have also proven themselves to work well in a team so there is no excuse to ignore them. They are excellent both as lone wolf and team player. Companies should desperately look for them and recruit them. Only such developers can save companies from technical decay.
They are certainly identifiable from their work. State hackers are professionals and they work like other professionals do; they work 9-5 in their local time zone and they have modular implants with code reuse. Amateurs aren't like this.
That's basically the only argument I've heard so far - if a hacking activity happens between 06:00 UTC and 14:00 UTC then it must be the Russians, otherwise it's someone else. Doesn't sound like a very strong argument?
"Modular implants with code reuse" - sounds like exploit kits you can buy on hacking forums.
> It’s ok to call them countries, hackers, and intrusions.
It's not if you want to do business in that country. Or if you annoy allies of that country (accusing certain countries might get senators breathing down your neck!). You are accusing a government of committing a crime, or at least a wildly unethical behavior. Those are huge charges. To your point, I wish they could be more direct, but...
> Microsoft got hacked by Russian government hackers.
It is not known whether this hacking group is private, government sponsored, or government run. They could be a private group that takes both private and government contracts.
If they were funded via government channels, who was it? A higher up person using their personal wealth? A specific agency? Multiple agencies?
The reason they are being so vague is because they don't know the answers, and it is very discrediting to throw around incorrect accusations.
>> It is not known whether this hacking group is private, government sponsored, or government run.
Coming from Russia, that's a distinction without a difference.
Sure, private groups can 'freelance', but not without at least tacit permission from the FSB, GRU, and/or SVR (more accurately, cant freelance for long). Especially so for sch a high visibility target such as Microsoft.
And when the RU govt isdues a denial, it's confirmed.
But still no reason for MS to escalate the wording. They put enough in there that anyone with a clue knows it's serious.
The distinction probably matters to a lot of people at the scale that Microsoft is operating at. They likely worked with some sort of MS US government liaison on the wording.
Operating with tacit approval is not the same as being a government entity. Even you admit there is a small chance that this group is not tacitly approved ("for long"). I mean yeah, we all know the score, but a it's really bad idea to levy heavy charges without knowing the answer 100%.
This statement does pretty heavily implicate the Russian Govt though, yeah :)
This group is also known as CozyBear, if that rings a bell. The US government named them years ago in an announcement kicking out several Russian diplomats. I don’t think anyone is worried about being wrong on this.
They’ve been around for a while and identified by several governments.
“NOBELIUM is an advanced persistent threat group also known as APT29, which is publicly attributed to the Russian government and specifically to the Foreign Intelligence Service of the Russian Federation (SVR)”
It still doesn't answer how they know that: 1) they were hacked by that exact group 2) that group is sponsored by the Russian government.
The only evidence I've seen before in cases like this one was that they found that the hacks happened during Russia's working hours (i.e. Moscow timezone), and that they found some word in Cyrillic in some of the shell scripts. Which is honestly not hard to pull off if you want to hide your true identity. Not saying Russia is not interested in those hacks, but a lot of far-reaching conclusions are often quickly made based on such weak assumptions.
I am not going to go read every MS blog on this group to find the original attribution, but generally it is from reusing infrastructure associated with a government (often even more specifically, a branch of government). IP addresses, correlated email accounts, domains, who they have targeted in the past, code ties between the malware they use, etc. These indicators can be paired with government releases (CISA) or made independently for attribution.
Say some specific infrastructure is used to hack a law firm involved in prosecuting Russia for war crimes in Ukraine. Then that same infra is used to send disinfo targeting Ukrainian groups. Then the some distinct malware used in those attacks is also used to wipe machines in the Ukraine conflict. There are full time groups that track these indicators to tie one attack to another and distinguish groups. This group is likely the SVR.
The US government publicly named this group as a Russian government tool in a diplomatic announcement kicking out multiple Russian embassy employees in 2021. This is linked as a footnote as the citation for this claim made in the article I shared above.
My summary understanding of this write-up is that a weak password was guessed and allowed entry into an old system that had access to stuff it shouldn't have had access to.
Your summary is also ambiguous. Were they hacked by the Russian CIA equivalent? Were they hacked by people funded by the Russian government? Were they hacked by people funded by senior government officials?
I think it's possible that the truth is a little murky, and capturing that ambiguity is actually clearer than trying to wave it away
> The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard
While the CIA is a US foreign intelligence agency, I'd hesitate to call them equivalent. Hired by as in, employees of, Russian intelligence? Unless my link is inaccurate, yes.
At least for the "Midnight Blizzard" part of the title, it's the result of a naming framework [0] for threat actors that Microsoft has been using since April 2023. I agree it sounds weird.
The naming framework for these groups isn't even consistent, with every vendor having their own scheme. Midnight Animal to one vendor is Dancing Bear to another and known by Wet Cat to yet another.
They all sound like bad translations to bargain-bin porno movies.
It largely boils down to the same reason scientists classify animals into taxonomies. It helps to have a framework for classifying the groups so you can refer back to them in the future.
Going back to my example with taxonomies: Yeah, you got bit by a spider, but exactly which kind of spider bit you? What do we know about those kinds of spiders, e.g. are they known for being venomous or not, does their bite have a well-known reaction in humans, etc.
Russia hacks, but so do China, North Korea, Iran and Ukraine. They all have bagged large targets. It could be any of them but could be someone else as well.
Woah. Easy there. It sounds like you're trying to start a flamewar by singling out Russia. Don't you know that every country does this?! Please preface any accusations against Russia with paragraphs of anti-Western invective. /s
Seriously? This reads like a joke. They brute forced some tenant test systems.
Fine, I bet the password was Password123!, but then "they used account's permissions" to access various corporate emails. How is that even possible? What does it mean "they used the account's permissions"? Are you telling me there was no privilege separation between a tenant test environment and the internal domain? That the tenant system was not in its own isolated network? This is absolutely insane. Whenever I read stuff like that I wonder if some junior IT employee didn't just buy a new home for cash few months ago. I'm all for "don't look for malice where incompetence is a sufficient explanation", but that's just a little too much incompetence to be believable.
Who cares?
a) their logs have 30% of information that is completely useless, maybe they should fix that then
b) (especially) if you have a P1/P2 AD license this is just not acceptable, you are paying enough to at least have some decent storage for such critical piece of information
funny thing - if you have these things in default and someone deletes a user, you won't know who did such action after 30 days (meaning you not only can not recover the user, but also will not know who performed the action)
edit -as for the compliance, personally not aware of it, but you should be able to at least have a retention policy option for it and since most companies will just put it into a storage account or log analytics I don't think it's a matter of that
>Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold
If people at Microsoft reuse passwords than what we can expect from casual PC users?!
I had to read the title multiple times but couldn't make sense of what is exactly happening.
Why is this happening to English?
The other day, there was a story about an airplane window that got melt and many native speakers couldn't make sense of what the title of the story meant?
In that case too, as a non native speaker of English, I blamed myself first for not understanding the language well enough.
i found $ signs $ in my AI prompt text-box suggesting shell interference while also experiencing buffer overflow in my local windows pc. just a random Dalle3 user in Bing's image creator
Depends. If the breadcrumbs are key material which correlates to other known incidents from the same group, or exclusive tooling, or C2 infrastructure, then there is definitely something stopping them from putting breadcrumbs there. They'd have to hack the other group first in order to do so.
I agree with you that seeing evidence would be nice, but I understand that there is the possibility that evidence supporting the claim exists and at the same time cannot be released to the public.
As we've seen, many of the cybersecurity teams have been pwned, so a large part of the breadcrumbs they'd pattern match are already out there. Additionally, if security is poor enough, there can be more than one hacker into a system, which is another way they could accumulate breadcrumbs. This has precedent - there has been malware that uninstalls other malware.
I understand that the company has to minimize every breach but this frankly looks a lot more serious than Microsoft suggests here.