Midnight Blizzard / Cozy Bear makes it look easy (and makes Microsoft look insecure).

Microsoft has been forced to disclose it was hacked by the Russian state. The hackers were inside Redmond’s network for a month and a half.

Putin’s goons got in easily, by spraying passwords at a test server until they succeeded—which really shouldn’t be possible. Then they pivoted to the production environment—which really shouldn’t be possible.

The obvious conclusion? Microsoft cloud security sucks. In today’s SB Blogwatch, we eyeroll furiously.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Magnet vs. Levitating.

AKA APT29

What’s the craic? Frank Bajak reports—“Russian hackers accessed emails of senior leadership”:

“Password spraying”
State-backed Russian hackers broke into Microsoft’s corporate email system and accessed the accounts of members of the company’s leadership team, as well as those of employees on its cybersecurity and legal teams. … The intrusion began in late November and was discovered on Jan. 12.
…
Hackers from Russia’s SVR foreign intelligence agency used [a] brute-force attack technique … called “password spraying.” … Microsoft calls the hacking unit Midnight Blizzard … the same highly skilled Russian hacking team behind the SolarWinds breach. … Prior to revamping its threat-actor nomenclature last year, it called the group Nobelium. The cybersecurity firm Mandiant, owned by Google, calls the group Cozy Bear.

Why? Lorenzo Franceschi-Bicchierai explains—“Hackers breached Microsoft to find out what Microsoft knows about them”:

“SolarWinds”
Wouldn’t you want to know what tech giants know about you? That’s exactly what Russian government hackers want, too. [They] didn’t go after customer data, or the traditional corporate information they may have normally gone after. They wanted to know more about themselves, or more specifically, they wanted to know what Microsoft knows about them.
…
APT29, or Cozy Bear, is widely believed to be a Russian hacking group responsible for a series of high-profile attacks, such as those against SolarWinds in 2019, the Democratic National Committee in 2015, and many more.

Horse’s mouth? Satya’s PR flaks flick the keys—“Microsoft Actions Following Attack”:

“Additional details”
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold. … This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors. … This incident has highlighted the urgent need to move … faster.
…
We are continuing our investigation and will take additional actions based on the outcomes. [We] will continue working with law enforcement and appropriate regulators. … We will provide additional details as appropriate.

So much PR waffle. Trust yborg for a snarky translation:

And why would PR peeps obfuscate like that? Here’s gweihir:

They are just trying to confuse the issue. The simple fact is that … their executives got hacked because of abysmally bad security of their cloud offering.
…
MS security sucks. MS cloud security sucks so badly, it is not funny anymore. Why would anybody in their right mind use a product this exceptionally bad?

Yikes. Too harsh? h_b_s can only agree:

It’s clear to me Microsoft is no better at securing their own networks and systems than anyone else, given the same access to documentation and expertise. That being the case it becomes clearly evident that forcing people off on-prem services isn’t about security. It’s about Microsoft monetizing data and artificially inflating their Azure cloud numbers.

Let’s dive deeper. fuzzyfuzzyfungus figures the FAIL:

I’m having a little trouble wrapping my head around the “legacy non-production test tenant account” thing. Sure, everyone’s got some **** in a broom closet somewhere that doesn’t bear looking at, [but] it would have been generating authentication and mailbox access activity in a production tenant. … Isolation between tenants is supposed to be really strong.
…
Unless there’s something MS should really be telling us yesterday about the actual state of default separation between tenants, you shouldn’t just be able to move laterally between them without both sides having been configured to allow that—and both sides seeing your activity. … It honestly feels a lot more damning than the classic ‘server inside the firewall got forgotten about during project/org reshuffles, oops’ case.

Meanwhile, utdoctor mashes Underpants Gnomes with Captain Phillips:

1. Password spray.
2. Access non-prod environment.
3. ???
4. “Look at me, look at me. I am the CEO now.”

And Finally:

Magnitating

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Geraldine le Meur (cc:by; leveled and cropped)