Microsoft has released new guidance for organizations on how to protect themselves from persistent attacks from nation-states like the one revealed a few days ago that infiltrated their corporate email system.
One of the key takeaways from the guide is what organizations can do to protect themselves from threat actors who use malicious OAuth apps to hide their activity and maintain access to applications, despite efforts to delete them.
The attack on Microsoft by Midnight storm alias Cozy Bear, a threat group affiliated with Russia’s Foreign Intelligence Service (SVR), resulted in the compromise of email accounts belonging to several Microsoft employees, including senior executives.
Over a period of several weeks starting in late November 2023, attackers gained access to Microsoft corporate email accounts and exfiltrated emails and attached documents in an apparent attempt to determine what information the company may have about it. Midnight Blizzard.
A recent SEC document that surfaced this week showed that the threat actor, who the US government formally identified as the perpetrator of the SolarWinds hack, also hacked the Hewlett Packard Enterprise (HPE) system cloud-based email environment last May. The attacks are believed to be part of a larger, ongoing intelligence gathering effort by SVR/Midnight Blizzard for potential future campaigns.
In his January 19 blog initially disclosing the attack, Microsoft described Midnight Blizzard as having gained initial access to its environment via a legacy, non-production test account, which the threat actor compromised via a password spray attack. Further investigation by the companydetailed in his latest blog this week – demonstrated that the Midnight Blizzard authors used a “vast number” of legitimate residential IP addresses to launch their password spray attacks against targeted Microsoft accounts, one of which was the test account they compromised. The threat actors’ use of residential proxy infrastructure for their attacks helped obfuscate their activity and evade detection, Microsoft said.
Abusing OAuth apps
Once the attacker gained initial access to the test account, he used it to identify and compromise a legacy test OAuth application with privileged access to Microsoft’s enterprise environment. Subsequently, “the actor created additional malicious OAuth applications,” Microsoft said. “They created a new user account to grant consent in the Microsoft enterprise environment to malicious OAuth applications controlled by the actor.”
The attacker used the legacy OAuth app he had compromised to grant himself full access to Office 365 Exchange mailboxes, Microsoft said. “Misuse of OAuth also allows threat actors to maintain access to applications, even if they lose access to the initially compromised account,” the company noted.
Tal Skverer, research group lead at Astrix Security, says the Midnight Blizzard authors exploited malicious OAuth tokens because they likely knew their access to the compromised account would be detected.
“Considering the scrutiny that (human) user accounts are under when it comes to their security, the success of the password spraying attack in this case was time-limited,” he says. “So while they had [access]they created OAuth apps and consented to their use, generating non-expiring OAuth access tokens for attackers.”
Some of these permissions can persist even if an originally compromised account is disabled or deleted, allowing attackers to maintain their access even if they lose access through an initially compromised account, Skverer says.
Malicious OAuth obstacle
Microsoft’s Jan. 25 blog offered guidance for organizations to mitigate risks related to OAuth app misuse. Recommendations include the need for organizations to verify the current privilege levels associated with all identities – both user and service – and to focus on those with elevated privileges.
“The privilege should be examined more closely if it belongs to an unknown identity, is linked to identities that are no longer in use, or is not fit for purpose,” Microsoft said. When reviewing privileges, an administrator should keep in mind that users and services may often have privileges that go beyond what they require, the blog notes.
Organizations should also verify the identities they have the Application impersonation privilege in Exchange Online that allows services to impersonate a user and perform the same operations that the user can perform, Microsoft informed.
“If incorrectly configured or not properly targeted, these identities can have broad access to all inboxes in an environment,” the company warned.
Organizations should also consider using anomaly detection policies to identify malicious OAuth applications and conditional access application controls for users connecting from unmanaged services, Microsoft said.
How to detect midnight blizzard
The blog also included a detailed guide on what to look for in log data to look for and detect malicious activity like that associated with Midnight Blizzard.
Skverer says posture management tools can help organizations inventory all non-human identities (NHIs) in their environment, especially those that pose the highest risk.
“Specifically, for the TTPS used by Midnight Blizzard, these tools would highlight an unused OAuth application, with overly permissive access to impersonate every user when authenticating to Office 365 Exchange,” he says.