Skip to content

A Thread on Frosty Fiascos: Delving into the Microsoft Midnight Blizzard Hack

This post is all about the hack on Microsoft by Midnight Blizzard (NOBELIUM, Cozy Bear, APT29)
A lot has been said already, and this event has many angles. This post is focused on one part:

What can Entra/Microsoft 365 admins do to prevent such an attack?

I don’t have all the answers (certainly not!) but I feel the urge to bundle all the resources so that the community can find guidance during this snowstorm. I did not find any time to put something on paper myself, but this hack has kept me busy for the past few days. During that period, a lot of good resources already came out, so that’s what I’d like to share.

TL;DR

  1. The attack was not the result of a vulnerability in Microsoft products or services. The attacker gained access through unprotected accounts, overprivileged apps, and a lack of governance and alerting.
  2. The motive was most likely to gain insights into the information Microsoft had about the attacker. At one point, it seemed that the attacker had unlimited control over the entire production tenant, but they “just” exfiltrated email and documents from targetted accounts.
  3. Admins should review all service principals that have the highest privilege Entra ID roles and MS Graph app roles in the first place. Then follow up on the recommendations in the various blogposts.

Microsoft publications

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center
Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog
Midnight Blizzard (NOBELIUM) News and Insights | Microsoft Security Blog

This podcast is created by two Microsoft employees, Andy Jaw and Adam Brewer

Community resources

A thread on X: Clément Notin op X: ‘What I think happened in the Midnight Blizzard breach of Microsoft: how could they pivot from the test tenant to the production tenant using a OAuth application? 🤔⤵️ https://t.co/GNhJDZeDAZ’ / X (twitter.com)

Microsoft Breach — What Happened? What Should Azure Admins Do? | by Andy Robbins | Feb, 2024 | Posts By SpecterOps Team Members

Here’s a good visual from Amitai Cohen 🎗️ (@AmitaiCo) / X (twitter.com)

Blogpost from Jeffrey Appel | Microsoft MVP (@JeffreyAppel7) / X (twitter.com)

Pivot via OAuth applications across tenants and how to protect/detect with Microsoft technology? (Midnight blizzard) (jeffreyappel.nl)

If you are using BloodHound, here’s a good read: Microsoft Breach — How Can I See This In BloodHound? | by Stephen Hinck | Feb, 2024 | Posts By SpecterOps Team Members

Merill added a new cmdlet (Export-MsIdAppConsentGrantReport) to the MSIdentityTools module at https://aka.ms/MSID which scans your Microsoft 365 tenant, reviews the permissions of apps, users and the permissions you’ve granted to them. Learn more in the video:

What’s next?

I just wanted to put this post out there, for everybody to learn the details of this attack. I will update the post as more details come out. For now, stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *