Mar 25, 2024The Hacker NewsData Breach / Password Security

In January 2024, Microsoft discovered they’d been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn’t a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.

Password spraying: A simple yet effective attack

The hackers gained entry by using a password spray attack in November 2023, Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to a legacy non-production test account within the Microsoft system which provided them with an initial foothold in the environment. This account either had unusual privileges or the hackers escalated them.

The attack lasted for as long as seven weeks, during which the hackers exfiltrated emails and attached documents. This data compromised a ‘very small percentage’ of corporate email accounts, including those belonging to senior leadership and employees in the Cybersecurity and Legal teams. Microsoft’s Security team detected the hack on January 12th and took immediate action to disrupt the hackers’ activities and deny them further access.

However, the fact that the hackers were able to access such sensitive internal information highlights the potential damage that can be caused by compromising even seemingly insignificant accounts. All attackers need is an initial foothold within your organization.

The importance of protecting all accounts

While organizations often prioritize the protection of privileged accounts, the attack on Microsoft demonstrates that every user account is a potential entry point for attackers. Privilege escalation means that attackers can achieve their goals without necessarily needing a highly privileged admin account as an entry point.

Protecting an inactive low-privileged account is just as crucial as safeguarding a high-privileged admin account for several reasons. First, attackers often target these overlooked accounts as potential entry points into a network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalating their privileges and accessing sensitive information.

Second, inactive accounts are often neglected in terms of security measures, making them attractive targets for hackers. Organizations may overlook implementing strong password policies or multi-factor authentication for these accounts, leaving them vulnerable to exploitation. From an attacker’s perspective, even low-privileged accounts can provide valuable access to certain systems or data within an organization.

Defend against password spray attacks

The Microsoft hack serves as a wake-up call for organizations to prioritize the security of every user account. It highlights the critical need for robust password protection measures across all accounts, regardless of their perceived significance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for compromised passwords, organizations can significantly reduce the risk of being caught out in the same way.

1. Active Directory auditing: Conducting regular audits of Active Directory can provide visibility into unused and inactive accounts, as well as other password-related vulnerabilities. Audits provide a valuable snapshot of your Active Directory but should always be complemented by ongoing risk mitigation efforts. If you’re lacking visibility into your organization’s inactive and stale user accounts, consider running a read-only audit with our free auditing tool that gives an interactive exportable report: Specops Password Auditor.
2. Robust password policies: Organizations should enforce strong password policies that block weak passwords, such as common terms or keyboard walks like ‘qwerty’ or ‘123456.’ Implementing long, unique passwords or passphrases is a strong defense against brute-force attacks. Custom dictionaries that block terms related to the organization and industry should also be included.
3. Multi-factor authentication (MFA): Enabling MFA adds an authentication roadblock for hackers to overcome. MFA serves as an important layer of defense, although it’s worth remembering that MFA isn’t foolproof. It needs to be combined with strong password security.
4. Compromised password scans: Even strong passwords can become compromised if end users reuse them on personal devices, sites, or applications with weak security. Implementing tools to continuously scan your Active Directory for compromised passwords can help identify and mitigate potential risks.

Continuously shut down attack routes for hackers

The Microsoft hack underscores the need for organizations to implement robust password protection measures across all accounts. A secure password policy is essential, ensuring that all accounts, including legacy, non-production, and testing accounts, aren’t overlooked. Additionally, blocking known compromised credentials adds an extra layer of protection against active attacks.

Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your Active Directory. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.

The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, equals a much more comprehensive defense against the threat of password attack and the risk of password reuse. Speak to expert today to find out how Specops Password Policy could fit in with your organization.

Mar 13, 2024NewsroomPatch Tuesday / Software Update

Microsoft on Tuesday released its monthly security update, addressing 61 different security flaws spanning its software, including two critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution.

Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an “Exploitation More Likely” assessment.

The fixes are in addition to 17 security flaws that have been patched in the company’s Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.

Topping the list of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.

Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).

Successful exploitation of CVE-2024-21390 requires the attacker to have a local presence on the device either via malware or a malicious application already installed via some other means. It also necessitates that the victim closes and re-opens the Authenticator app.

“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim’s accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running,” Microsoft said in an advisory.

“While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

Another vulnerability of note is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) that could permit an attacker to obtain SYSTEM privileges but only upon winning a race condition.

The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by placing a specially crafted file onto an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.

The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a case of remote code execution affecting the Open Management Infrastructure (OMI).

“A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond said.

“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years,” Narang said. “On average, there were 237 CVEs patched in the first quarter from 2020 through 2023. In the first quarter of 2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in March over the last four years was 86.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Jan 20, 2024NewsroomCyber Espionage / Emails Security

Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

It further said that it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have commenced in late November 2023.

“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

Redmond said the nature of the targeting indicates the threat actors were looking to access information related to themselves. It also emphasized that the attack was not the result of any security vulnerability in its products and that there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems.

The computing giant, however, did not disclose how many email accounts were infiltrated, and what information was accessed, but said it was the process of notifying employees who were impacted as a result of the incident.

The hacking outfit, which was previously responsible for the high-profile SolarWinds supply chain compromise, has singled out Microsoft twice, once in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time breaching three of its customers in June 2021 via password spraying and brute-force attacks.

“This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” the Microsoft Security Response Center (MSRC) said.

Jan 10, 2024NewsroomVulnerability / Windows Security

Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024.

Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days.

The fixes are in addition to nine security vulnerabilities that have been resolved in the Chromium-based Edge browser since the release of December 2023 Patch Tuesday updates. This also includes a fix for a zero-day (CVE-2023-7024, CVSS score: 8.8) that Google said has been actively exploited in the wild.

The most critical among flaws patched this month are as follows –

• CVE-2024-20674 (CVSS score: 9.0) – Windows Kerberos Security Feature Bypass Vulnerability
• CVE-2024-20700 (CVSS score: 7.5) – Windows Hyper-V Remote Code Execution Vulnerability

“The authentication feature could be bypassed as this vulnerability allows impersonation,” Microsoft said in an advisory for CVE-2024-20674.

“An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MitM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.”

However, the company noted that successful exploitation requires an attacker to gain access to the restricted network first. Security researcher ldwilmore34 has been credited with discovering and reporting the flaw.

CVE-2024-20700, on the other hand, neither requires authentication nor user interaction to achieve remote code execution, although winning a race condition is a prerequisite to staging an attack.

“It isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.

Other notable flaws include CVE-2024-20653 (CVSS score: 7.8), a privilege escalation flaw impacting the Common Log File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient.

“An attacker who successfully exploited this vulnerability could carry out a machine-in-the-middle (MitM) attack and could decrypt and read or modify TLS traffic between the client and server,” Redmond said.

Microsoft further noted that it’s disabling the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook in Windows by default due to a security flaw (CVE-2024-20677, CVSS score: 7.8) that could lead to remote code execution.

“3D models in Office documents that were previously inserted from an FBX file will continue to work as expected unless the ‘Link to File’ option was chosen at the insert time,” Microsoft said in a separate alert. “GLB (Binary GL Transmission Format) is the recommended substitute 3D file format for use in Office.”

It’s worth noting that Microsoft took a similar step of disabling the SketchUp (SKP) file format in Office following ZScaler’s discovery of 117 security flaws in Microsoft 365 applications.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including –