Cybersecurity Insights from the Microsoft Midnight Breach

‍

Understanding the Breach

Recent events at Microsoft have thrown a spotlight on a crucial aspect of cybersecurity: the importance of regular maintenance or ‘cleaning up after yourself’. When Midnight Blizzard, a group with connections to Russia's Foreign Intelligence Service, infiltrated Microsoft's network, it wasn't through an elaborate hacking scheme but through a neglected test account. The group used the breached test account to exploit OAuth (open authorisation) applications, a common method for managing permissions in corporate systems, to access Microsoft’s Office 365 Exchange mailboxes.  

Microsoft's Reflection

In response, Microsoft released a blog highlighting critical actions organisations should take to fortify their defenses against such similar attacks, including:

• Audit Access Privileges: It's essential to regularly review who has access to what within your organisation. Microsoft advises paying special attention to privileges that are unnecessarily high or attached to dormant accounts. "Privilege should be scrutinised more closely if it belongs to an unknown identity, is attached to identities that are no longer in use, or is not fit for purpose," Microsoft said.
• Enhanced Monitoring and Controls: Implementing strict controls, especially around identities with ApplicationImpersonation privileges in Exchange Online, is crucial. This privilege, if misconfigured, can provide broad access to an environment’s mailboxes.
• Counter Password Spray Attacks: As the test account was accessed via a password spray attack, Microsoft recommends a focused approach to guard against spray attacks (password spray attacks involve cybercriminals attempting to access multiple accounts by trying commonly used passwords against many usernames, betting on finding matches with minimal effort). Key measures include strengthening password policies, educating users to recognise and report suspicious sign-in attempts, and promptly resetting passwords of targeted accounts, particularly those with high-level access.  

A Broader Perspective

The incident underscores a vital cybersecurity lesson: akin to a craft-proud tradesperson who doesn't leave tools out on a worksite, IT professionals must rigorously disable and remove any unused accounts and applications. These 'tools' left unattended can open doors for cyber threats. Regularly updating software, disabling accounts no longer in use, and keeping a close eye on the privileges we grant – these are the equivalent of locking the doors, closing the windows, and not leaving the keys under the mat. Regular 'housekeeping' of our tech is absolutely crucial in protecting against cyber threats.

‍