Feb 16, 2024NewsroomCybersecurity / Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization’s network environment was compromised via an administrator account belonging to a former employee.

“This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point,” the agency said in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The threat actor connected to the [virtual machine] through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.”

It’s suspected that the threat actor obtained the credentials following a separate data breach owing to the fact that the credentials appeared in publicly available channels containing leaked account information.

The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set of credentials stored in the server, which had administrative privileges to both the on-premises network and the Azure Active Directory (now called Microsoft Entra ID).

This further made it possible to explore the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller. The attackers behind the malicious activity are presently unknown.

A deeper investigation into the incident has revealed no evidence that the adversary moved laterally from the on-premises environment to the Azure cloud infrastructure.

The attackers ultimately accessed host and user information and posted the information on the dark web for likely financial gain, the bulletin noted, prompting the organization to reset passwords for all users, disable the administrator account as well as remove the elevated privileges for the second account.

It’s worth pointing out that neither of the two accounts had multi-factor authentication (MFA) enabled, underscoring the need for securing privileged accounts that grant access to critical systems. It’s also recommended to implement the principle of least privilege and create separate administrator accounts to segment access to on-premises and cloud environments.

The development is a sign that threat actors leverage valid accounts, including those belonging to former employees that have not been properly removed from the Active Directory (AD), to gain unauthorized access to organizations.

“Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise,” the agencies said.

“By default, in Azure AD all users can register and manage all aspects of applications they create. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions.”

Jan 20, 2024NewsroomCyber Espionage / Emails Security

Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

It further said that it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have commenced in late November 2023.

“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

Redmond said the nature of the targeting indicates the threat actors were looking to access information related to themselves. It also emphasized that the attack was not the result of any security vulnerability in its products and that there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems.

The computing giant, however, did not disclose how many email accounts were infiltrated, and what information was accessed, but said it was the process of notifying employees who were impacted as a result of the incident.

The hacking outfit, which was previously responsible for the high-profile SolarWinds supply chain compromise, has singled out Microsoft twice, once in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time breaching three of its customers in June 2021 via password spraying and brute-force attacks.

“This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” the Microsoft Security Response Center (MSRC) said.