Microsoft has issued a second post about the attack on its systems by an alleged Russian actor, revealing that the same actor also attacked a number of other organisations, one of which was HPE.
Former Facebook chief security officer Alex Stamos, who has criticised Microsoft for the lack of detail in its first blog post about the attack, said the other companies were compromised using the same flaws in Azure Active Directory.
"Microsoft's language [in the second blog post] plays this up as a big favour they are doing the ecosystem by sharing their 'extensive knowledge of Midnight Blizzard', when, in fact, what they are announcing is that this breach has affected multiple tenants of their cloud products," Stamos said in a LinkedIn post.
Microsoft made its first post about the attack on 19 January, saying that the attackers in question had been in its systems for nearly two months before they had been detected.
{loadposition sam08}This is the second time in recent times that foreign actors have spent long periods within Microsoft's corporate networks without being detected.
In July last year, a breach of Microsoft's Azure cloud led to the compromise of email accounts belonging to American envoy to Beijing, Nicholas Burns, assistant secretary of state for East Asia, Daniel Kritenbrink and US Commerce Secretary Gina Raimondo among others.
Security experts warned that the effect of the intrusion could be much wider than reported, and could affect applications beyond those claimed by Microsoft to be impacted.
Last November, Microsoft released a blog post claiming the company had put in place what it called a Secure Future Initiative which it described as a "new initiative to pursue our next generation of cybersecurity protection."
British security expert Kevin Beaumont said he had concluded that the reality of everything at Microsoft was too complex. "Lots of MS things ship in risky configurations, nobody (including Microsoft) can figure out how to scale securing it and everything is way too expensive, he said.
"Microsoft’s two biggest commercial security risks are ransomware groups, and /itself/.
"They've gone from saying attackers think in graphs to getting attackers to live on the Microsoft Graph, which has allowed them to monetise their cloud security failures."
Stamos said the second blog post about the latest attack had also provided some clarity about how an attack against a legacy non-production test tenant could lead to accessing the emails of key Microsoft executives.
The post said: "Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications.
"They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes."
Stamos said AzureAD was overly complex, and lacked an interface that allowed administrators to easily understand the web of security relationships and dependencies that attackers were becoming accustomed to exploiting.
"In many organisations, AzureAD is deployed in hybrid mode, which combines the vulnerability of cloud (external password sprays) and on-premise (NTLM, mimikatz) identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence," he explained.
"Calling this a 'legacy' tenant is a dodge; this system was clearly configured to allow for production access as of a couple of weeks ago, and Microsoft has an obligation to secure their legacy products and tenants just as well as ones provisioned today.
"It's not clear what they mean by 'legacy', but whatever Microsoft's definition it is likely to be representative of how thousands of their customers are utilizing their products."
He also accused Microsoft of using its own security flaws to upsell, citing three sentences from the second blog as evidence.
"These sentences in the blog post deserve a nomination to the Cybersecurity Chutzpah Hall of Fame, as Microsoft recommends that potential victims of this attack against their cloud-hosted infrastructure," Stamos wrote.
The sentences he cited were:
- "Detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection;
- "Investigate compromised accounts using Microsoft Purview Audit (Premium); and
- "Enforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain Services.”
Stamos said Microsoft was using the blog post as a means of upselling customers on their security products, "which are apparently necessary to run their identity and collaboration products safely!
"This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts," he added.