Strengthening federal defenses against nation-state email compromise in the wake of CISA’s emergency directive

The Cybersecurity and Infrastructure Security Agency recently issued an emergency directive calling on federal agencies to take immediate action to reset compromised credentials in order to mitigate the risks posed by nation-state actors exploiting vulnerabilities to access Microsoft’s corporate email systems.

CISA’s emergency directive follows the January breach of Microsoft corporate email accounts by Russian state-sponsored cyber actor Midnight Blizzard (also known as Cozy Bear and APT29). During that attack, information was exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email. Since the initial attack, the threat actor has been running an extended intrusion campaign to attempt to gain additional access to Microsoft customer systems. According to Microsoft, “Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold,” presenting extremely high risk to all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard.

The directive, which is only applicable to affected agencies, requires all agencies whose emails have been identified as exfiltrated by Midnight Blizzard to analyze potentially affected emails and reset any compromised credentials. CISA and Microsoft have contacted all affected federal agencies whose emails have been identified as compromised thus far.

Midnight Blizzard’s ongoing attack on Microsoft: a timeline

• Late November 2023: Midnight Blizzard leverages a password spray attack to successfully target a Microsoft Azure test tenant account that did not have multi-factor authentication (MFA) enabled. This account controlled an OAuth app that had been granted privileged access to the corporate environment, giving the attackers the ability to add secrets, authenticate as the privileged test application with elevated access to the corporate environment, and then execute commands. With this level of access, Midnight Blizzard was able to create a new malicious OAuth application, grant it the “full_access_as_app” Microsoft 365 Exchange Online permission for the corporate environment, and leverage this permission to access “a very small percentage of Microsoft corporate email accounts” (including the emails and attachments of senior leadership, cybersecurity, legal, and other functions within Microsoft).
• January 12, 2024: The Microsoft security team detected a nation-state attack by Midnight Blizzard on their corporate systems.
• February, 2024: Microsoft detects a 10-fold increase in the volume of certain aspects of the Midnight Blizzard attack, including password sprays, compared to the already large volume seen in January.
• March, 2024: Microsoft sees evidence that Midnight Blizzard has been using information initially exfiltrated from their corporate email systems to gain, or attempt to gain, unauthorized access to some of the company’s source code repositories and internal systems.

After first hitting the headlines in 2020 with the SolarWinds hack, and with Hewlett Packard Enterprise  recently revealing a similar intrusion campaign to that experienced by Microsoft, Midnight Blizzard has become known for targeting individual accounts using password sprays and unpatched systems before following a fairly typical pattern of hunting for privileged accounts that enable them to elevate privileges and move laterally to reach their targets within the network.

According to Microsoft, Midnight Blizzard’s ongoing attack “is characterized by a sustained, significant commitment of the threat actor’s resources, coordination and focus.” They believe the threat actors to be using the information they have obtained “to accumulate a picture of areas to attack and enhance [their] ability to do so.” It is also possible that, given that Microsoft has been shining a spotlight on Midnight Blizzard and several other nation-state threat actors, Midnight Blizzard has been harvesting information related to themselves during the attacks to understand what Microsoft knows about them so they can stay ahead in the battles to come.

This reflects an interesting level of sophistication among nation-state attackers.

Implications for federal agencies: Risks and challenges

As mentioned in the CISA emergency directive and subsequent press coverage, Microsoft found that some of the compromised emails potentially contained authentication details, such as usernames and passwords or authentication tokens. They also noted some of the compromised emails may have included authentication credentials that were shared as part of a troubleshooting ticket or as part of a code snippet shared between organizations to fix a bug.

According to the 2023 Verizon Data Breach Investigations Report, 86% of breaches involve stolen credentials, and web application attacks account for 25% of breaches (largely leveraging stolen credentials and vulnerabilities).

Employees routinely use applications that provide access to sensitive data. These enterprise application accounts may not be “privileged” in the traditional sense, but they can provide sensitive access that poses risk. Moreover, IT often lacks visibility into these business accounts provisioned outside of the single sign-on. This means, if a business account is hijacked, such as by cracking a weak password, a threat actor can gain the initial foothold they need, or execute lateral movement to advance their attack unnoticed.

When you consider these business account passwords are often shared and re-used across different applications — and even personal accounts — you begin to see how the attack surface expands. A threat actor can chain together an attack pathway with one set of compromised credentials that gives access to many accounts.

Standard operating procedure by malicious actors after gaining an account foothold in a targeted environment is to explore the Entra ID (Azure AD) for credentials with privilege — add, modify, delete, create, etc. — to elevate access and avoid closely monitored domain administrator credentials while in the reconnaissance phase of the attack process. In the case of Microsoft and Midnight Blizzard, the account initially compromised wasn’t directly privileged but had ownership of an OAuth app that was privileged. These indirect paths to privilege are often difficult to uncover without specific tooling.

Implementing CISA’s recommendations

The CISA Emergency Directive requires agencies to:

1. Analyze the content of exfiltrated emails — Perform a full cybersecurity impact analysis to determine the level of compromise and develop a full remediation strategy.
2. Reset credentials that are known or suspected of compromise, including credentials in associated applications — Leverage password management tools that enable secure management of credentials and secrets (tokens, passwords, API keys), rapid onboarding of business application credentials, credential injection, automated password resets and credential rotation to ensure all access tokens, passwords, API keys, or other authentication credentials are secure.
3. Deactivate associated applications that are no longer of use to the agency — Dormant or orphaned privileged accounts are a huge target for threat actors like Midnight Blizzard. Leverage tools that can help you gain visibility of all accounts and prioritize the deactivation of accounts and applications that are no longer in use to prevent them from becoming attack pathways.
4. Take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure — Leverage password management tools that can secure, manage and protect privileged Azure accounts and perform automatic rotation of credentials. Do accounts have entitlements in Azure that allow them to elevate their privilege? Invest in security tools that can help you visualize the paths to privilege in your environment, from overprivileged accounts to complex group memberships in Entra ID or Active Directory that allow for elevation of privilege or misconfigurations that make it easier for an attacker to move laterally or elevate privileges, and uncover potential compromise.
5. Review sign-in, token issuance and other account activity logs for users and services whose credentials were suspected or observed as compromised for potential malicious activity — Monitor alerts and logs for insights that can help you differentiate an attacker from a legitimate login. Being able to recognize when accounts and identities are under attack can help you reduce lag time and shrink the blast radius of an incident.

Additional security recommendations:

• Know where your identities exist and understand what privileges they have and what controls protect them — Every unmanaged account, excess privilege and uncontrolled access is an invitation for disaster. Gain a unified view of your identities and risks across your entire identity landscape.
• Enforce password complexity and uniqueness for every internet-based resource — Enterprise password management solutions should be implemented to ensure password hygiene best practices are enforced at scale for human and machine accounts.
• Require multi-factor authentication (MFA) — The attack on Microsoft proves that single-factor authentication is not enough. Phishing-resistant MFA implementations, such as FIDO2, should be used where possible.
• Adhere to the principle of least privilege — A strong least privilege posture restricts access rights for users, accounts and computing processes to only those resources absolutely required to perform routine, authorized activities. This can reduce the chance of compromise and, during a breach, limit opportunities for lateral movement and exposure beyond a point of compromise.
• Implementidentity threat detection and response (ITDR) – ITDR can help proactively mitigate poor identity security controls and rapidly detect and respond to attacks. It can also isolate events that can occur when an identity provider solution allows authentication without MFA, or instances when dormant activity occurs on a system that isn’t normally used by an identity.

Michael Saintcross is the U.S. federal team leader at BeyondTrust.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.