On January 12, 2024, Microsoft identified a nation-state threat actor, “Midnight Blizzard,” attacking their corporate systems. Upon discovery, Microsoft deployed its incident response process to disrupt the malicious activity and mitigate the attack.
Notably, Microsoft has been tracking “Midnight Blizzard” for quite some time now.
However, Microsoft stated that the infiltration was possible due to a legacy test account that had a weak password potentially proving vulnerable to the password-spray attack
from the threat actors. Microsoft identified the attack by reviewing their Microsoft Exchange Web Services activity and reviewing their audit log features.
According to the reports shared with Cyber Security News, Midnight Blizzard is a Russian state-sponsored threat actor responsible for compromising several governmental and private entities of foreign interest to Russia.
Their targeted industries include governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers in the US and Europe. This particular threat actor has been active since 2018, and their primary focus is the espionage of foreign interests.
Midnight Blizzard uses several attack methods for espionage and intelligence gathering, such as stolen credentials, supply-chain attacks, lateral movement to the cloud, abusing OAuth applications, and many others.
As of the current attack against Microsoft, it has been discovered that the threat actor has been using password spray attacks on a specific set of accounts with only a tailored list of passwords to evade detection of threat activity.
The threat actor also launched these attacks from a residential proxy infrastructure consisting of several IP addresses that legitimate users use. This increased their evasion percentage and a long-time attack, which became successful.
Once the account has been compromised, the threat actor uses malicious OAuth applications to maintain persistence on the compromised account. In addition, the threat actor also created a new user account that uses the attacker-controlled malicious OAuth application to log in.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
This malicious OAuth was again used to authenticate into Microsoft Exchange Online to further target Microsoft Corporate email accounts. However, the threat actor also used the legacy test OAuth application to grant them access to the Office 365 Exchange Online with a full_access_as_app role, providing access to the mailboxes.
Furthermore, Microsoft also stated that “Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.“
Microsoft detailed this threat actor, which provides detailed information about the defense guidance, protection guidance, steps to mitigate, hunting methodologies, and many other information.
The Midnight Blizzard, also known as Cozy Bear, also had breached its HPE cloud-based email environment.
Today Hewlett-Packard disclosed to the SEC that they were compromised by APT29 a/k/a/ Cozy Bear a/k/a/ Midnight Blizzard
Information via @pancak3lullz pic.twitter.com/9HH1WLy6t8
Cozy Bear had likely been lurking within HPE’s system since May 2023, pilfering data from a select group of mailboxes across various departments, including cybersecurity itself.