Editor's Note: BleepingComputer reported on Wednesday that Hewlett Packard Enterprise revealed via its own Form 8-K SEC filing that the company was also hacked by the Midnight Blizzard cybercriminal organization, resulting in stolen data from multiple departments.
Microsoft technically didn’t have to tell the SEC that it failed to apply very basic cybersecurity protections to an email account and paid the price, but late on Friday afternoon admitted the mistake anyway.
Microsoft specifically told the world that a Russian state-sponsored cybercrime group known as Midnight Blizzard gained a beachhead onto Microsoft’s network through a “password spray attack.”
The breached account was a “test tenant” account, meaning it was probably used for testing and development purposes versus a live email account used by an employee on a regular basis. But the incident does show just how on top of things cybersecurity teams (including yours) need to be, because the smallest keyhole may open doors that really ought to remain shut.
Especially when the hackers are also known as Nobelium or APT29, tied to Russia’s Foreign Intelligence Service (SVR), and responsible for causing billions of dollars’ worth of damage to some of the world’s largest tech companies in the notorious SolarWinds hack reported in 2020.
As explained by BleepingComputer, password spraying means collecting a list of potential login names and attempting to log into all of them with the same password. The hackers either eventually run out of passwords or hit paydirt and breach an account. And, as also pointed out by BleepingComputer, this only works if the account doesn’t have additional protections like multi-factor authentication.
The Russian hackers then used permissions attached to a hacked account to access corporate email accounts “including members of our senior leadership team and employees in our cybersecurity, legal, and other functions,” according to Microsoft’s notice.
The hackers were apparently looking for information related to the state-sponsored group and stole emails with attached documents.
Microsoft did not under the new SEC reporting rules have to report the breach because, as stated in the Form 8-K filing dated January 17, the hack “the incident has not had a material impact on the Company’s operations.”
However, Microsoft also reported “The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
Tyler Farrar, CISO at cybersecurity firm Exabeam, tells IndustryWeek that this is a wake-up call.
“The recent Microsoft email system breach serves as a critical reminder of the evolving complexities in cybersecurity. The attackers capitalized on the path of least resistance, exploiting a legacy, non-production account, underscoring the often overlooked concept of latent security vulnerabilities within organizations,” says Farrar.
This is a crucial learning point for the cybersecurity community. It reinforces the importance of adopting comprehensive, AI-enhanced security measures to proactively identify and mitigate hidden risks. Consider this event a stark reminder that in the digital age, vigilance and advanced technology are key to safeguarding against sophisticated cyber threats,” Farrar adds.