Even Microsoft executives had their passwords hacked away

No one is immune from cybersecurity attacks, it seems. Just days ago, several senior Microsoft executives fell victim to a “password spray attack” coming from Russia. Did the company downplay how serious this was? And did it fail to use some basic best practices? For analysis, the Federal Drive with Tom Temin spoke with an expert at Stanford University, cyber analyst and former White House Senior Director for Cyber Policy, AJ Grotto.

Interview Transcript: 

Tom Temin And just review what happened here. What is a spray, a tactic? And what happened to the Microsoft execs?

AJ Grotto A password spray attack is when a threat adversary tries the same password across many accounts. So, it’s an attempt to guess a password. And in this case, they guessed right and were able to break into this legacy non-production test tenant account, which is essentially a test environment and were then able to use that account to get access to email accounts that belonged to senior executives and employees working in Microsoft’s security and legal teams.

Tom Temin And what kind of a password would you need to be immune from a spray attack? Because if you use those generated suggested passwords, a lot of programs have, you know, they’re 15 characters, totally random.

AJ Grotto Yeah, this this probably wasn’t a very complex password. The other factor here is there was no multi-factor authentication. I mean, you’re using that sort of second means of logging in the text message or the authentication app, which is a security no, no these days.

Tom Temin But, I mean, a simple password can be found by a spray attack. What types of passwords cannot find, like where you go around the perimeter of the keyboard, or your name and birthday, that kind of thing.

AJ Grotto That kind of stuff. Yeah. Password one. Admin one. You know, not very complex passwords. Passwords that have, you know, known words in them English words. And it’s another. No, no. And, a complex password probably would have, would have gone a long way towards preventing this from happening.

Tom Temin Right. So, these are programs that generate these types of things. Are they context based. That is okay. This is Microsoft. We know the person’s name. And from public records you can get birthdays and stuff. Could it be that they designed the passwords for this particular spree attack iteration.

AJ Grotto It’s possible. We don’t we don’t know. You know, there’s still, details about the attack that that Microsoft hasn’t released yet. And I suspect we’ll learn more in the coming weeks as, as details begin to emerge about what happened and, frankly, what other companies, what other victims may have been affected by the same threat actor.

Tom Temin You have looked at this in some detail and we know we can attribute the source of the attack to. Correct?

AJ Grotto Yeah, this this was a, you know, Russian, Russian intelligence, to be clear. You know, Microsoft was a victim here that said this attack was like parking your car in a rough neighborhood, leaving, your door unlocked and your valuables in plain sight. This kind of, of, of episodes should not happen, especially for a company that that that touts its security bona fides the way Microsoft does.

Tom Temin Right. I was going to say, what are the learnings here? Because a lot of companies are probably looking at this and saying, well, how are my passwords?

AJ Grotto Well, you know, one learning is use complex passwords. The other is use multi-factor authentication. And this is the latest in a string of security problems at Microsoft. And in 2021, 30,000 organizations email servers were hacked due to a Microsoft Exchange server flaw. Last year, Chinese hackers breached, US government emails via a Microsoft cloud exploit. Three years ago, it was the center of the SolarWinds attack, which was actually carried out by the same threat actor that that got Microsoft in this recent episode.

Tom Temin And now you have the federal government, in some cases, in large numbers of people are using and lots of agencies are using Microsoft 365 cloud for the basic collaboration tools office, if you will, that everyone has. And therefore, they’re not in your own all of the data and all of the applications are not in the federal servers anymore. They’re in Microsoft servers. How should agencies think about this?

AJ Grotto Microsoft has, something like 85% of the market for the federal government’s productivity software, which is to say it has a stranglehold on that market.

Tom Temin Well, the government bought it by choice, we should say.

AJ Grotto Yeah. Yeah. No, I mean, and although, you know, I would argue that the government is also locked in. Right. Because Microsoft makes it difficult to switch their switching costs that make it not a straightforward proposition to, to shift to a new vendor that the way you might, you know, sell a car and buy a new car. So, I’m still a big believer in cloud. You know, there are security benefits. There are cost benefits. There are efficiency benefits. And so, the answer here is not for organizations, federal government or otherwise to move away from the cloud. It’s to support more competition in the marketplace for cloud services, so that customers can vote with their, their dollars and switch providers if they’re not happy with the service they’re getting from their incumbent, provider.

Tom Temin We’re speaking with AJ Grotto. He’s senior director of the program on Geopolitics, technology and governance at Stanford University and a former White House senior director for cyber policy. And getting back to the cyber question here with Microsoft, when you have cloud hosted type of things like this, each one of your people has an account with their name on it and a password. And if the agency chooses to have multifactor, then that’s what they have. Are these like bathrooms and small houses where there might be a door on either end, and therefore there’s a back door through Microsoft into clients’ accounts? Just as much as there was a front door through the client.

AJ Grotto Well, these, you know, these security problems at Microsoft’s corporate headquarters do speak to a risk there. I mentioned the SolarWinds attack from three years ago. You know, Microsoft products were at the center of that attack. And also, Microsoft itself was compromised by the Russian threat actor. We have we have a similar situation here where a Russian threat actor has been able to get inside of Microsoft systems. In this case, the running theory is that the threat actor was looking to understand what Microsoft understood about it, Microsoft’s own research into this particular threat actor, and the fact that the adversary was able to get that kind of access is worrisome. It’s because there’s more to the story here than I think just the password spray attack. The fact that the adversary was able to get access to email accounts that belong to senior executives. I’m not sure how that’s possible, unless this particular test account was the system that the threat actors compromised, had administrator privileges that allowed it to grant access. That’s also a big no no. There’s a basic security principle called the least privilege principle. And basically, it means you give a system access to only the information or resources it needs to fulfill its purpose. Giving this account administrator privileges would seem to violate the least privilege principle.

Tom Temin Right in a smart executive, say in finance, probably would say, don’t give me access. Make sure my account can’t get to certain places because that’s how you have deniability and safety.

AJ Grotto Right. What we’ve learned so far from public disclosures by Microsoft is or at least two problems here. You’ve got the password problems as well as this. The second question of how the adversary was then able to swim around Microsoft’s networks and getting gain access to these executives’ emails.

Tom Temin Right. So, my question then is if whether through phishing or through a password spray, a hacker can get the corporate account information of the cloud supplier, can it also use that means to get to the information of the clients of the cloud?

AJ Grotto It’s possible. Cloud companies obviously, you know, have a really strong incentive to prevent that from happening. But I think, you know, we see these incidents going after call it the Fort Knox of cloud, Microsoft. You know, if you can get break into Fort Knox, you’ve also got access to, to all the riches that are stored inside. And so that that is that is a major concern. And I think Microsoft has some explaining to do still.

Tom Temin I suppose if you could get into a test environment or a development environment, you could do things to the products under development and other test also probably.

AJ Grotto Yeah, you could. There was actually another vulnerability announced about a development environment in Microsoft Azure that that had a flaw that would allow adversaries to mess with code. If organizations had updated the software, they wouldn’t be exposed to this particular threat. But again, it speaks to, the continued risk that poor security practices can post organizations.

Tom Temin And should Google and Amazon and their cloud operations fold their hands in satisfaction here or not?

AJ Grotto Well, no. I mean, look, I to me as I come back to the competition, a point what we need is more competition. And that means that, you know, Amazon and Google ought to beat Microsoft on security. These episodes point to a real vulnerability in Microsoft when it comes to security.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories