Russian hackers breach senior executive emails
Microsoft says Russian hackers used known tactic to breach senior exec emails
Russian hackers abused a popular authentication tool to gain access to the email accounts of senior executives at Microsoft, according to a new statement from the tech giant. Microsoft has been tightlipped about an incident – announced late on Friday afternoon last week – that they said involved the months-long compromise of corporate email accounts. Why it matters:
- Russian hackers leveraged OAuth to compromise Microsoft corporate email accounts: They gained initial access via a legacy test account and were able to create additional malicious OAuth applications, granting them access to senior executives’ mailboxes. This technique allows threat actors to maintain access to applications, even after losing access to the initially compromised account.
- Microsoft had previously warned about such OAuth abuses: Despite Microsoft’s warning about OAuth misuse and their detailed identification of the tactics utilized by both national state hackers and cybercriminals in December, remained susceptible to the same attacks, raising concerns about their security measures. Furthermore, hackers utilized password spraying, a method identified by Microsoft in their previous warning, to compromise user accounts.
- This incident reflects the skill and sophistication of the hacking group, Midnight Blizzard: This group is adept at identifying and misusing OAuth applications and utilized a multitude of evasion techniques to reduce the likelihood of being detected, including launching attacks from a distributed residential proxy infrastructure. The attack points to a larger issue of ongoing advanced persistent threats (APTs) from state-sponsored hacker groups, with broad implications on national cybersecurity.