Microsoft stated in the present day that it was hacked by a “Russian state-sponsored actor” referred to as Midnight Blizzard, also called Nobelium. That is the identical group of hackers suspected to be liable for the foremost SolarWinds provide chain hack that occurred in 2020.
“Starting in late November 2023, the risk actor used a password spray assault to compromise a legacy non-production take a look at tenant account and achieve a foothold, after which used the account’s permissions to entry a really small share of Microsoft company e-mail accounts, together with members of our senior management group and workers in our cybersecurity, authorized, and different features, and exfiltrated some emails and connected paperwork,” Microsoft wrote.
“The investigation signifies they have been initially concentrating on e-mail accounts for data associated to Midnight Blizzard itself. We’re within the means of notifying workers whose e-mail was accessed.”
Microsoft did not elaborate on what data Midnight Blizzard/Nobelium might have been searching for, however there is a lengthy historical past between the 2. In 2021, following the SolarWinds hack, Microsoft posted a four-part weblog/video collection on the group that “pulls the curtain again on the NOBELUM incident and the way world-class risk hunters from Microsoft and across the trade got here collectively to tackle essentially the most refined nation-state assault in historical past.”
Microsoft has additionally taken an energetic position in combatting Russian cyber-attacks in opposition to Ukraine.
“Password spraying” is a brute pressure assault during which a hacker hits recognized legitimate usernames with frequent passwords within the hope that somebody acquired lazy and used one thing like “1234.” Automated techniques are sometimes used to roll by a lot of passwords in a comparatively brief period of time, and it is powerful to defend in opposition to as a result of it does not exploit vulnerabilities in techniques, however in customers.
From the web site of on-line safety firm Login Radius:
Hackers can go after particular customers and cycles utilizing as many passwords as doable from both a dictionary or an edited listing of frequent passwords. Password spraying will not be a focused assault, it is only one malicious actor buying an inventory of e-mail accounts or getting access to an energetic listing and trying to register to all of the accounts utilizing an inventory of the most probably, standard, or frequent passwords till they get a success.
The important thing takeaway from password spraying is that consumer accounts with previous or frequent passwords kind the weak hyperlink hackers can exploit to achieve entry to the community. Sadly, password spraying assaults are steadily profitable as a result of so many account customers fail to comply with the most effective password safety practices or select comfort over safety.
Microsoft stated primarily the identical factor, noting that the assault “was not the results of a vulnerability in Microsoft services or products.” There’s at the moment no proof that hackers gained entry to “buyer environments, manufacturing techniques, supply code, or AI techniques,” and it’ll notify prospects if and when any additional motion is required.
Even when that is the case, the hack will have an effect: Microsoft stated the proliferation of state-sponsored hackers has compelled it to reassess “the stability we have to strike between safety and enterprise threat,” and that it’ll instantly apply “present safety requirements to Microsoft-owned legacy techniques and inner enterprise processes.”
“It will seemingly trigger some stage of disruption whereas we adapt to this new actuality, however it is a obligatory step, and solely the primary of a number of we will probably be taking to embrace this philosophy.”
Microsoft has been on the middle of quite a few main hacks in recent times. In 2021, the US and different NATO nations accused China of sponsoring Microsoft Change Server hacks, and in 2022 a Lapsus$ assault resulted within the theft of Bing and Cortana supply code. In 2023, its Azure platform was breached by a Chinese language hacking group that was in a position to achieve entry to consumer e-mail accounts; that led Tenable chairman and CEO Amit Yoran to accuse the corporate of a “repeated sample of negligent cybersecurity practices, which has enabled Chinese language espionage in opposition to america authorities.”
