Microsoft filing with the SEC to say Russia SVR hacked the email accounts of its own cyber staff in November, they discovered this week: https://www.sec.gov/Archives/edgar/data/789019/000119312524011295/d708866dex991.htm
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 07:31:06 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 08:04:15 JST
Kevin Beaumont
I need to set up a calendar entry for Friday night, called Microsoft Hacked Announcements.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 08:21:50 JST
Kevin Beaumont
I agree with @alex here, Microsoft needs to do a much more public disclosure.
Microsoft staff use Microsoft 365 email with Exchange Online. Eg I was gossi@microsoft.com.
I think MS needs to explain to M365 customers how mailboxes were accessed via password spraying.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 08:42:47 JST
Kevin Beaumont
A LinkedIn post I’ll probably get in trouble for.
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 20-Jan-2024 09:01:03 JST 
System Adminihater
@GossiTheDog I would honestly rather run Novell Netware than keep playing with Microsoft.
-
Embed this notice
Rocketman (slothrop@chaos.social)'s status on Saturday, 20-Jan-2024 09:01:23 JST 
Rocketman
@GossiTheDog Uh, I appreciate the transparency.
But that bit saying “well, we didn’t so far secure our own systems properly, because that would disrupt functionality”???!
-
Embed this notice
Tanawts (enigma@infosec.exchange)'s status on Monday, 22-Jan-2024 04:15:48 JST 
Tanawts
@GossiTheDog @alex -- I don't think this was from: Spraying M365 Mailbox accounts... Reading between those lines, "Non-Prod-Test-Tenant Account" That sounds a whole lot more like a 'Service Account/Machine Account" used for a Proof of concept tool/service; automation accounts aren't going to have MFA.
There are a great many different services/tools that are granted delegated access to various different things, email being accessed sounds to me that perhaps it was an automation service meant to trigger actions based on access to mail content/interaction.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Jan-2024 08:04:11 JST
Kevin Beaumont
HP have now filed an 8K with the SEC, listing the same threat actor as Microsoft, saying they also got access to their email.
Not stated - their email is also on Microsoft 365, same as MSFT.
This time in May 2023.
https://www.sec.gov/Archives/edgar/data/1645590/000164559024000009/hpe-20240119.htm
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 03:32:43 JST
Kevin Beaumont
Microsoft have detailed technical write up about it's security incident and how to defend against it.
It's really good, kudos to MS for publishing.
Microsoft made a catalogue of errors in how they configured and secured their Microsoft 365 tenants. It is not a Microsoft product defect issue; the directly sell the governance products and services to stop this kind of thing.
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 27-Jan-2024 03:52:48 JST
System Adminihater
@GossiTheDog When is Defender for Midnight Blizzard coming out?
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 27-Jan-2024 03:56:20 JST
System Adminihater
@GossiTheDog One note.. the article mentions a small number of accounts but then it says this: "Midnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IOC)-based detection infeasible due to the high changeover rate of IP addresses." So they saw failed logins from a large number of IP addresses for a small number of users and they didnt think to investigate that?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 03:57:55 JST
Kevin Beaumont
Not mentioned in the blog - to grant Oauth access to read all mailboxes (as happened here), you need to be the tenant admin. There's not a vuln being used here, as Microsoft would have mentioned it for sure - so somebody made a pretty big config error in production to allow a test tenant app to be used to grant *checks notes* reading of any mailbox.
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 27-Jan-2024 04:10:12 JST
System Adminihater
@GossiTheDog If that is true then my question would be how did the actor determine what accounts to spray? info leaking? If they were focusing on a handful of accounts they must have already known which ones had the golden ticket.
-
Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Saturday, 27-Jan-2024 04:45:54 JST 
Dan Goodin
Doesn't the post say as much in the following:
Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a LEGACY TEST OAUTH APPLICATION THAT HAD ELEVATED ACCESS TO THE MICROSOFT CORPORATE ENVIRONMENT. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. THE THREAT ACTOR THEN USED THE LEGACY TEST OAUTH APPLICATION TO GRANT THEM THE OFFICE 365 EXCHANGE ONLINE FULL_ACCESS_AS_APP ROLE, WHICH ALLOWS ACCESS TO MAILBOXES."
Or does being the tenant admin go beyond the above? If it does, can you or someone explain how?
-
Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Saturday, 27-Jan-2024 05:20:24 JST
Dan Goodin
I found this image floating around on that wretched bird site. Am I interpreting it wrong or does it indicate there's a way to allow non-admins to read all inboxes? If not, can you show me an appropriate screenshot? (No need for the screenshot if too much of a hassle. Just an answer will suffice.)
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 08:22:01 JST
Kevin Beaumont
Important point by @wald0 re the MSFT breach:
The AppRoleAssignment.ReadWrite.All MS Graph app role BYPASSES the consent process. This is BY DESIGN. This app role is EXTRAORDINARILY dangerous.
https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d
One to hunt on. Looks like a really easy own goal.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 08:50:59 JST
Kevin Beaumont
Great post by @alex on this. https://www.linkedin.com/pulse/microsofts-dangerous-addiction-security-revenue-alex-stamos-1ukzc?utm_source=share&utm_medium=member_ios&utm_campaign=share_via
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 09:24:58 JST
Kevin Beaumont
Washington Post say more than 10 more companies (so far) have been caught in the Microsoft 365 Exchange Online data breach situation and are expected to disclose publicly. https://wapo.st/47Qi3yC
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 10:21:09 JST
Kevin Beaumont
Worth noting - there’s no evidence the breach of Microsoft’s Microsoft 365 Exchange Online tenant is the cause of the wave of breaches of Microsoft’s customers Microsoft 365 Exchange Online tenants. (Try saying that ten times).
What I mean by that is Microsoft misconfigured their corporate setup.. and their customers have other similar issues, based on evidence so far.
Oauth and AD app permissions are an absolute clusterfuck and the defaults and AppCompat probably need reviewing at MS end.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 10:28:31 JST
Kevin Beaumont
I’ve said this one before prior too, but to reiterate - GraphAPI is a disaster in terms of cybersecurity.
Eg you can easily dump out the metadata of all Azure AD users with Graph, and none of the Defender products trigger an alert. Do it on prem AD? MDI alert. Try Graph Explorer for point and click queries: https://learn.microsoft.com/en-us/graph/graph-explorer/graph-explorer-overview
It’s not just that use case. Smart attackers are not thinking in graphs, they’re living off Microsoft Graph. You can avoid alerting. It’s not just Russia.
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 27-Jan-2024 10:29:17 JST
System Adminihater
@GossiTheDog @alex How are people just now coming to the conclusion that the company that sells burning buildings shouldnt also sell 20oz bottles of water?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Jan-2024 10:36:21 JST
Kevin Beaumont
Why attackers are living off Microsoft Graph - until a few months there wasn’t any logging of GraphAPI access queries (!), it’s still only in Preview, it isn’t available in US Government tiers (hack the planet) and it costs money. https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview
You can literally run around doing a whole bunch of things at an org without touching a VPN, without triggering an MS product alert and without a log.
MS support often say things like ‘you can see the activity in Azure AD audit logs’.. nope.
-
Embed this notice
Pete Wright (pete_wright@nlogic.systems)'s status on Saturday, 27-Jan-2024 10:46:26 JST 
Pete Wright
@GossiTheDog
Omg I thought it was just me. It’s an absolute nightmare trying debug using the graph api whenever I needed to debug our integration with it. -
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 27-Jan-2024 11:07:03 JST
System Adminihater
@GossiTheDog They have no fucking idea what they are doing and yet they control AI
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 27-Jan-2024 11:11:08 JST
System Adminihater
@GossiTheDog I heard an argument at a conference that implied that Azure and the services that run on top of it haven't been shut down by threat actors because of how useful it is to them. So essentially the only reason it still exists is because its so insecure.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 28-Jan-2024 00:42:11 JST
Kevin Beaumont
Another part of the whole equation at Microsoft: https://www.directionsonmicrosoft.com/wp-content/uploads/2024/01/THUMBS-1000-%C3%97-570-px-2-480x274.png
Got fancy Microsoft E5 licensing? Prepare to keep paying more and more as basic product features arrive and get placed into new premium offerings as SMB's drown.. as Microsoft have got to keep profits top right.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 28-Jan-2024 00:45:23 JST
Kevin Beaumont
What's happening at Microsoft, I think:
- Reality is everything is way too complex
- lots of MS things ship in risky configurations
- nobody (including Microsoft) can figure out how to scale securing it
- everything is way too expensiveMicrosoft’s two biggest commercial security risks are ransomware groups, and /itself/.
They've gone from saying attackers think in graphs to getting attackers to live on the Microsoft Graph, which has allowed them to monetise their cloud security failures.
-
Embed this notice
Fellows (fellows@cyberplace.social)'s status on Sunday, 28-Jan-2024 01:11:48 JST 
Fellows
@GossiTheDog this stuff has gotten out of hand. Capitalism is great, but at what overall expense.
I hate bureaucratic regulations, but it seems like some form of regulation is needed here.
I mean come on, would you buy a car today where it costs extra for bumpers, seatbelts, and airbags? This wouldn’t even be permitted. They’re standard safety requirements.
I think we need some form of minimum “safety” requirements to keep us all safer online.
-
Embed this notice
Sean :nivenly: 🦬 (witch_of_winter@hachyderm.io)'s status on Sunday, 28-Jan-2024 01:13:08 JST 
Sean :nivenly: 🦬
@GossiTheDog the overlapping products and massive web of complexity is really a big issue. We thought we were enforcing MFA but weren't because we didn't check on box in a sub menu under a different product that we're not even licensed for.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Jan-2024 20:51:07 JST
Kevin Beaumont
Something I think lost in the M365 thing - I think it's a great blog on technical indicators, and MS should be applauded for disclosing.
But also, recent changes in regulation at the SEC forced disclosure in the first place.
This isn't Microsoft's first rodeo - it's just one of the few times you get to know about it.
MS will probably go through a few years of pain with repeat public incidents like this, but ultimately they will be healthier for it - and so will their customers as a result.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Jan-2024 05:07:30 JST
Kevin Beaumont
Please clap Microsoft for following the law. https://www.techtarget.com/searchsecurity/feature/Security-executives-slam-Microsoft-over-latest-breach
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 08-Mar-2024 23:49:19 JST
Kevin Beaumont
Update on the Microsoft 365 hack - Russia has used the exfiltrated data to push further into Microsoft’s network: “In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems.”
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 09-Mar-2024 00:02:51 JST
Kevin Beaumont
An important bit: “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.” #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 09-Mar-2024 08:04:23 JST
Kevin Beaumont
Good look at this one by @JosephMenn as it pieces together some of the different elements
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Apr-2024 06:52:40 JST
Kevin Beaumont
The US Federal government is apparently impacted by the Russian hack of Microsoft 365 Exchange Online (not to be confused with the Chinese hack of Microsoft 365 currently in the headlines). CISA has held private briefings. https://cyberscoop.com/federal-government-russian-breach-microsoft/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Apr-2024 03:35:50 JST
Kevin Beaumont
Microsoft and CISA now say that the Russian data breach of Microsoft 365 a few months ago against MS cyber staff emails also resulted in the theft of US Federal Agency emails.
https://therecord.media/cisa-microsoft-breach-emergency-directive
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Apr-2024 03:53:30 JST
Kevin Beaumont
Really we’re all just saving money
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Friday, 12-Apr-2024 06:15:09 JST
System Adminihater
@GossiTheDog You're doin a heck of a job Satya - George W. Bush
-
Embed this notice
All GNU social JP content and data are available under the 