This post is all about the hack on Microsoft by Midnight Blizzard (NOBELIUM, Cozy Bear, APT29)
A lot has been said already, and this event has many angles. This post is focused on one part:
What can Entra/Microsoft 365 admins do to prevent such an attack?
I don’t have all the answers (certainly not!) but I feel the urge to bundle all the resources so that the community can find guidance during this snowstorm. I did not find any time to put something on paper myself, but this hack has kept me busy for the past few days. During that period, a lot of good resources already came out, so that’s what I’d like to share.
- The attack was not the result of a vulnerability in Microsoft products or services. The attacker gained access through unprotected accounts, overprivileged apps, and a lack of governance and alerting.
- The motive was most likely to gain insights into the information Microsoft had about the attacker. At one point, it seemed that the attacker had unlimited control over the entire production tenant, but they “just” exfiltrated email and documents from targetted accounts.
- Admins should review all service principals that have the highest privilege Entra ID roles and MS Graph app roles in the first place. Then follow up on the recommendations in the various blogposts.
Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center
Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog
Midnight Blizzard (NOBELIUM) News and Insights | Microsoft Security Blog
A thread on X: Clément Notin op X: ‘What I think happened in the Midnight Blizzard breach of Microsoft: how could they pivot from the test tenant to the production tenant using a OAuth application? 🤔⤵️ https://t.co/GNhJDZeDAZ’ / X (twitter.com)
Here’s a good visual from Amitai Cohen 🎗️ (@AmitaiCo) / X (twitter.com)
If you are using BloodHound, here’s a good read: Microsoft Breach — How Can I See This In BloodHound? | by Stephen Hinck | Feb, 2024 | Posts By SpecterOps Team Members
Merill added a new cmdlet (Export-MsIdAppConsentGrantReport) to the MSIdentityTools module at https://aka.ms/MSID which scans your Microsoft 365 tenant, reviews the permissions of apps, users and the permissions you’ve granted to them. Learn more in the video:
I just wanted to put this post out there, for everybody to learn the details of this attack. I will update the post as more details come out. For now, stay safe!