By NewsBlogger Microsoft recently disclosed a cyberattack by the Kremlin-backed threat actor Midnight Blizzard, resulting in the theft of authentication secrets and prompting the company to advise customers to implement multi-factor authentication as a preventive measure.
At a glance
- Microsoft fell victim to a cyberattack by the Kremlin-backed threat actor Midnight Blizzard in January 2024.
- Midnight Blizzard gained access to Microsoft’s source code repositories and internal systems through a breach.
- Microsoft is conducting an investigation to determine the full extent of the breach, which started in November 2023.
- Midnight Blizzard’s breach of Microsoft involved the theft of authentication secrets, prompting the company to advise implementing multi-factor authentication.
- The National Cyber Security Centre of Switzerland reported a data breach at Xplain caused by the Play ransomware gang, resulting in the exposure of sensitive government files.
The details
Microsoft, a major technology company, recently disclosed that it fell victim to a cyberattack orchestrated by the Kremlin-backed threat actor known as Midnight Blizzard.
This attack, which occurred in January 2024, resulted in Midnight Blizzard gaining access to Microsoft’s source code repositories and internal systems.
The threat actors utilized information obtained from Microsoft’s corporate email systems to gain unauthorized access, although no evidence of compromise in customer-facing systems has been found thus far.
Investigation and Breach Details
Microsoft is currently conducting a thorough investigation to determine the full extent of the breach.
It was revealed that the breach initially took place in November 2023 through a password spray attack on a legacy test tenant account that lacked multi-factor authentication.
Midnight Blizzard, a group associated with Russia’s Foreign Intelligence Service (SVR) and known for targeting high-profile entities like SolarWinds, has been actively carrying out sophisticated attacks since at least 2008. The group has been ramping up password spray attacks, showing a substantial commitment of resources and coordination in their ongoing efforts.
Impact and Response
Midnight Blizzard’s recent breach of Microsoft involved the theft of authentication secrets, such as tokens, API keys, or credentials, which enabled access to critical systems and source code repositories.
To mitigate the impact of the breach, Microsoft is reaching out to affected customers whose secrets were exposed and advising companies to implement multi-factor authentication as a preventive measure.
The company has also heightened its security measures across the organization to defend against advanced persistent threats.
In a separate incident, the National Cyber Security Centre (NCSC) of Switzerland reported a data breach at Xplain, a Swiss technology and software solutions provider for government departments and the military.
The breach, caused by the Play ransomware gang on May 23, 2023, resulted in the exposure of thousands of sensitive Federal government files.
The stolen data, which contained confidential information, was subsequently published on a darknet portal.
The Swiss government has initiated an investigation into the leaked files, which may involve documents belonging to the Federal Administration of Switzerland.
The investigation, complicated by the vast volume of leaked data and legal considerations, is expected to be concluded by the end of the month, with cybersecurity recommendations to be shared with the Federal Council.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Microsoft revealed that the Kremlin-backed threat actor Midnight Blizzard gained access to source code repositories and internal systems in January 2024 – Midnight Blizzard used information from Microsoft’s corporate email systems to gain unauthorized access – Microsoft has not found evidence of compromise in customer-facing systems – Microsoft is still investigating the extent of the breach – Midnight Blizzard is attempting to leverage different types of secrets found, including those shared between customers and Microsoft – Microsoft has increased security investments in response to the breach – Midnight Blizzard ramped up password spray attacks by 10-fold in February – The ongoing attack by Midnight Blizzard shows a significant commitment of resources, coordination, and focus – The breach took place in November 2023 through a password spray attack on a legacy test tenant account without multi-factor authentication – APT29 targeted other organizations using various initial access methods – Midnight Blizzard is part of Russia’s Foreign Intelligence Service (SVR) and has been active since at least 2008 – Midnight Blizzard is known for compromising high-profile targets like SolarWinds |
| bleepingcomputer.com |
|---|
| – Microsoft reported that the Russian ‘Midnight Blizzard’ hacking group accessed internal systems and source code repositories using stolen authentication secrets from a January cyberattack – The group breached corporate email servers in January through a password spray attack on a legacy non-production test tenant account – The test account did not have multi-factor authentication enabled, allowing the threat actors to access Microsoft’s systems – The test account had access to an OAuth application with elevated access to Microsoft’s corporate environment, allowing the threat actors to steal data from corporate mailboxes – Microsoft believes the threat actors breached email accounts to learn what Microsoft knew about them – Midnight Blizzard used stolen data to gain access to Microsoft’s systems and source code repositories in recent weeks – Microsoft has not disclosed the exact nature of the stolen “secrets,” but they are likely authentication tokens, API keys, or credentials – Microsoft is contacting customers whose secrets were exposed to assist them in taking mitigating measures – Midnight Blizzard has increased password spray attacks against targeted systems, observing a 10-fold increase in February compared to January 2024 – Companies are advised to configure MFA on all accounts to prevent unauthorized access – Microsoft has increased security measures across the organization to defend against advanced persistent threat actors – The company is coordinating with federal law enforcement regarding the ongoing investigation of the threat actor and the incident – Midnight Blizzard (Nobelium, APT29, Cozy Bear) is a state-sponsored hacking group linked to Russia’s Foreign Intelligence Service (SVR) – The group conducted the 2020 SolarWinds supply chain attack, allowing them to breach numerous companies, including Microsoft – Midnight Blizzard stole source code for Azure, Intune, and Exchange components during the SolarWinds attack – In June 2021, the group breached a Microsoft corporate account, gaining access to customer support tools – Midnight Blizzard has been linked to cyberespionage attacks against NATO and EU countries, targeting embassies and government agencies – The group is known for developing custom malware for use in their attacks |
| bleepingcomputer.com |
|---|
| – The National Cyber Security Centre (NCSC) of Switzerland released a report on a data breach following a ransomware attack on Xplain |
| – The incident impacted thousands of sensitive Federal government files – Xplain is a Swiss technology and software solutions provider for government departments and the military – The Play ransomware gang breached Xplain on May 23, 2023 – The threat actor claimed to have stolen documents containing confidential information – The stolen data was published on the darknet portal in early June 2023 |
| – The Swiss government started investigating the leaked files – The leaked data might contain documents belonging to the Federal Administration of Switzerland – The Swiss government confirmed that 65,000 government documents were leaked in the breach – An administrative investigation was launched on August 23, 2023 |
| – The investigation is set to be completed by the end of the month – The full results and cybersecurity recommendations will be shared with the Federal Council |
| – The complexity of analyzing unstructured data and the large volume of leaked data has prolonged the investigation – Analyzing the leaked data for evidence is legally complicated – Confidential information requires inter-agency coordination and participation, prolonging the process. |
