Microsoft disclosed it was also victimized by cyberespionage criminals who abused OAuth applications to access protected corporate accounts. The tech giant had previously warned of ongoing attacks by advanced persistent threat group with ties to Russia.
Now Microsoft has revealed some of the technical details and the extent of the attack against its own implementation of the OAuth credential management platform in an effort to help other organizations "protect, detect, and respond to similar threats."
In a Jan. 25 post, elaborating on the OAuth attacks against its own senior executives, Microsoft’s threat intelligence team said APT29 (aka Cozy Bear, Midnight Blizzard or Nobelium) attackers were adept at abusing apps that used the popular OAuth token-based authentication and authorizations open standard.
"Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and using our audit logging features, combined with our extensive knowledge of Midnight Blizzard," according to last week's post.
Hackers initially breached a Microsoft test tenant account and a legacy test OAuth application. That application had elevated access to Microsoft’s corporate environment and allowed adversaries to create additional malicious OAuth applications.
“They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications,” the company said in its Jan. 25 post.
“The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online 'full_access_as_app role', which allows access to mailboxes," researchers wrote.
Hardening your OAuth attack surface
Hiding its tracks was core to Midnight Blizzard or APT29's ongoing success.
"As part of their multiple attempts to obfuscate the source of their attack, Midnight Blizzard used residential proxy networks, routing their traffic through a vast number of IP addresses that are also used by legitimate users, to interact with the compromised tenant and, subsequently, with Exchange Online," researchers wrote.
The abuse of residential proxies isn't new by adversaries, Microsoft points out. It's a technique that "makes traditional indicators of compromise (IOC)-based detection infeasible due to the high changeover rate of IP addresses," researchers said.
"Residential proxies allow you to choose a specific location (country, city, or mobile carrier) and surf the web as a real user in that area," according to John McHenry, data analyst and founder of Proxyplus.cz. In a Bright Proxies definition, McHenry explains that these types of proxies "can be defined as intermediaries that protect users from general web traffic. They act as buffers while also concealing your IP address. Proxies are alternative IP addresses assigned to users by the provider."
Microsoft said "due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of Midnight Blizzard activity."
Microsoft recommends a number of auditing and detection techniques to mitigate this type of OAuth-based attacks. They include:
- Identify malicious OAuth apps using anomaly detection policies.
- Implement conditional access app control for users connecting from unmanaged devices.
- Auditing accounts with privilege access
- Auditing identities that hold ApplicationImpersonation privileges in Exchange Online
Previous warnings of OAuth attacks
In a Dec. 12 post last year, Microsoft Threat Intelligence warned malicious actors were abusing OAuth apps to carry out financially motivated attacks. Microsoft warned threat actors were using password spray-and-pray style attacks to compromise a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled.
Next, in a technical post published earlier this month Microsoft upped its warnings and attributed attacks to APT29 stating the group was targeting OAuth applications to hack into executive accounts. At the time, Microsoft revealed hackers stole emails from members of its own senior leadership team, along with employees with roles in cybersecurity, legal, and other parts of the organization.
Microsoft said the breached accounts were discovered on Jan. 12.
Coincidence or victim?
In its Jan. 25 post, Microsoft's threat intelligence team said the information gained from the investigation into APT29’s attack on Microsoft identified the gang had also targeted other organizations, who it did not name.
Hewlett Packard Enterprise (HPE) disclosed last week its Microsoft 365 email environment was infiltrated by APT29 last year. HPE did not explain how the breach occurred and it is not known whether the attack was one of those the Microsoft researchers were referring to in their post.
HPE said it “was notified” of the breach on Dec. 12 (the same Microsoft published its OAuth post) but when asked by media who the notification came from, it declined to say.
Security researcher and former Microsoft employee Kevin Beaumont said in a LinkedIn post he expected organizations would continue to suffer Microsoft 365 breaches. While there were “a whole range of strategic things MS need to do to uplift security,” he believed they could be achieved.
“I’m actually really confident Microsoft can get on top of this and do the right things, and it’s an exciting time for them as they can spend a few years changing course to get their own house in order,” Beaumont said. “If they do, society will benefit as it will flow to things like less ransomware incidents elsewhere too. If they don’t, it’s a dark path.”
“Implementing security practices that strengthen account credentials such as enabling MFA reduces the chance of attack dramatically,” the researchers said.