midnight blizzard

Microsoft ties executive pay to security following multiple failures and breaches

azure, Biz & IT, microsoft, midnight blizzard, security breach, storm-0558, Tech / Blake Jones / May 4, 2024

lock it down —

Microsoft has been criticized for “preventable” failures and poor communication.

Andrew Cunningham – May 3, 2024 8: 25 pm UTC

It’s been a bad couple of years for Microsoft’s security and privacy efforts. Misconfigured endpoints, rogue security certificates, and weak passwords have all caused or risked the exposure of sensitive data, and Microsoft has been criticized by security researchers, US lawmakers, and regulatory agencies for how it has responded to and disclosed these threats.

The most high-profile of these breaches involved a China-based hacking group named Storm-0558, which breached Microsoft’s Azure service and collected data for over a month in mid-2023 before being discovered and driven out. After months of ambiguity, Microsoft disclosed that a series of security failures gave Storm-0558 access to an engineer’s account, which allowed Storm-0558 to collect data from 25 of Microsoft’s Azure customers, including US federal agencies.

In January, Microsoft disclosed that it had been breached again, this time by Russian state-sponsored hacking group Midnight Blizzard. The group was able “to compromise a legacy non-production test tenant account” to gain access to Microsoft’s systems for “as long as two months.”

All of this culminated in a report (PDF) from the US Cyber Safety Review Board, which castigated Microsoft for its “inadequate” security culture, its “inaccurate public statements,” and its response to “preventable” security breaches.

To attempt to turn things around, Microsoft announced something it called the “Secure Future Initiative” in November 2023. As part of that initiative, Microsoft today announced a series of plans and changes to its security practices, including a few changes that have already been made.

“We are making security our top priority at Microsoft, above all else—over all other features,” wrote Microsoft Security Executive Vice President Charlie Bell. “We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape.”

As part of these changes, Microsoft will also make its Senior Leadership Team’s pay partially dependent on whether the company is “meeting our security plans and milestones,” though Bell didn’t specify how much executive pay would be dependent on meeting those security goals.

Microsoft’s post describes three security principles (“secure by design,” “secure by default,” and “secure operations”) and six “security pillars” meant to address different weaknesses in Microsoft’s systems and development practices. The company says it plans to secure 100 percent of all its user accounts with “securely managed, phishing-resistant multifactor authentication,” enforce least-privilege access across all applications and user accounts, improve network monitoring and isolation, and retain all system security logs for at least two years, among other promises. Microsoft is also planning to put new deputy Chief Information Security Officers on different engineering teams to track their progress and report back to the executive team and board of directors.

As for concrete fixes that Microsoft has already implemented, Bell writes that Microsoft has “implemented automatic enforcement of multifactor authentication by default across more than 1 million Microsoft Entra ID tenants within Microsoft,” removed 730,000 old and/or insecure apps “to date across production and corporate tenants,” expanded its security logging, and adopted the Common Weakness Enumeration (CWE) standard for its security disclosures.

In addition to Bell’s public security promises, The Verge has obtained and published an internal memo from Microsoft CEO Satya Nadella that re-emphasizes the company’s publicly stated commitment to security. Nadella also says that improving security should be prioritized over adding new features, something that may affect the constant stream of tweaks and changes that Microsoft releases for Windows 11 and other software.

“The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack, from summer 2023, underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors,” writes Nadella. “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Microsoft ties executive pay to security following multiple failures and breaches Read More »

Microsoft says Kremlin-backed hackers accessed its source and internal systems

THE PLOT THICKENS —

Midnight Blizzard is now using stolen secrets in follow-on attacks against customers.

Dan Goodin – Mar 8, 2024 6: 42 pm UTC

Microsoft says Kremlin-backed hackers accessed its source and internal systems

Microsoft said that Kremlin-backed hackers who breached its corporate network in January have expanded their access since then in follow-on attacks that are targeting customers and have compromised the company’s source code and internal systems.

The intrusion, which the software company disclosed in January, was carried out by Midnight Blizzard, the name used to track a hacking group widely attributed to the Federal Security Service, a Russian intelligence agency. Microsoft said at the time that Midnight Blizzard gained access to senior executives’ email accounts for months after first exploiting a weak password in a test device connected to the company’s network. Microsoft went on to say it had no indication any of its source code or production systems had been compromised.

Secrets sent in email

In an update published Friday, Microsoft said it uncovered evidence that Midnight Blizzard had used the information it gained initially to further push into its network and compromise both source code and internal systems. The hacking group—which is tracked under multiple other names, including APT29, Cozy Bear, CozyDuke, The Dukes, Dark Halo, and Nobelium—has been using the proprietary information in follow-on attacks, not only against Microsoft but also its customers.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” Friday’s update said. “This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

In January’s disclosure, Microsoft said Midnight Blizzard used a password-spraying attack to compromise a “legacy non-production test tenant account” on the company’s network. Those details meant that the account hadn’t been removed once it was decommissioned, a practice that’s considered essential for securing networks. The details also meant that the password used to log in to the account was weak enough to be guessed by sending a steady stream of credentials harvested from previous breaches—a technique known as password spraying.

In the months since, Microsoft said Friday, Midnight Blizzard has been exploiting the information it obtained earlier in follow-on attacks that have stepped up an already high rate of password spraying.

Unprecedented global threat

Microsoft officials wrote:

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.

The attack began in November and wasn’t detected until January. Microsoft said then that the breach allowed Midnight Blizzard to monitor the email accounts of senior executives and security personnel, raising the possibility that the group was able to read sensitive communications for as long as three months. Microsoft said one motivation for the attack was for Midnight Blizzard to learn what the company knew about the threat group. Microsoft said at the time and reiterated again Friday that it had no evidence the hackers gained access to customer-facing systems.

Midnight Blizzard is among the most prolific APTs, short for advanced persistent threats, the term used for skilled, well-funded hacking groups that are mostly backed by nation-states. The group was behind the SolarWinds supply-chain attack that led to the hacking of the US Departments of Energy, Commerce, Treasury, and Homeland Security and about 100 private-sector companies.

Last week, the UK National Cyber Security Centre (NCSC) and international partners warned that in recent months, the threat group has expanded its activity to target aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.