CISO Executive Briefing: April 2024

Unravelling Midnight Blizzard’s Attack on Microsoft

A Russian state-sponsored actor recently targeted one of Microsoft’s test M365 tenants. The attackers gained access to accounts, which had weak passwords & lacked two-factor authentication, enabling them to access sensitive emails and documents for over two months.

TSG has seen an increase in similar attacks within our clientele, highlighting the urgency for pragmatic security practices. To mitigate such risks, we advise our clients to enforce stronger account use policies through:

• Enforcing multi-factor authentication (MFA) through conditional access policies
• Implementing stronger passwords

How was the attack initiated?

The Russian adversary group used a password brute force attack (repeatedly trying passwords from a huge list until they get the right one through automated means) against a number of users in a test Microsoft M365 tenant. After gaining access, the attackers took advantage of the compromised account’s permissions to access a portion of Microsoft’s corporate email accounts, including senior leadership emails and key departments like cyber security and legal. Over two months, the attackers exfiltrated emails and attached documents without detection, revealing significant security gaps.

How does this impact your business?

Although Azure and M365 products remain secure, this incident at Microsoft, a highly secure organisation, underscores that cyber-attacks spare no one and highlights the critical need for strong security controls around your systems and data. Small and medium-sized businesses are particularly vulnerable, as they often have valuable data without a dedicated cyber security team protecting it. It’s crucial to recognise that the tools techniques and strategies used against Microsoft by Russian state sponsored hackers, are also used by attackers against SMEs. We must apply the lessons from such high-profile breaches to protect our operations.

Recently, TSG has observed a worrying rise in similar attacks within the SME space. In the last month we have worked on remediation for three customers that have suffered breaches leading to unauthorised access to email accounts, this is in addition to dozens of accounts where we see evidence of failed malicious login attempts daily. These incidents, though smaller in scale to Microsoft’s, exploited similar vulnerabilities — underscoring the importance of multi-factor authentication & robust password security.

What can you do to protect your business from this type of attack?

At TSG, we are committed to helping you strengthen your defences by offering tailored security solutions and training designed to address these exact challenges. We need to learn the strategies that attackers are using. These are the controls that Microsoft put in place, which are identical to the recommendations of TSG:

1. Strong Password Policies: Adopt password policies in line with National Cyber Security Centre (NCSC)guidelines, which amongst other things, advocates for long, unique passphrases. Implement account lockout policies that temporarily lock an account after several failed login attempts. This helps prevent attackers from successfully using common passwords repeatedly to gain unauthorised access.
2. Conditional Access Policies: These policies help protect your business by controlling who can log in, from where and from what device. They set rules that block logins from locations that are unusual for your business operations or from devices that do not meet your security standards. Additionally, these policies can enforce MFA for all logins. Microsoft reports that just by implementing MFA, you can decrease the risk of account takeovers by over 99%. Inspired by this data, Microsoft is advancing towards the goal of achieving 100% MFA adoption through compulsory implementation of comprehensive CA policies. This approach helps reduce the risk of unauthorised access by ensuring only legitimate users with secure devices can access sensitive information.
3. User Awareness Training: Keep your team informed and vigilant about cyber security through regular training sessions and updates on the latest security threats and best practices. TSG offers free online training as part of the cyber control service, which can be found at the TSG Academy.
4. Penetration Testing: A pen test identifies a system’s security vulnerabilities before an attacker can exploit them. It involves simulating cyber-attacks under controlled conditions to test the effectiveness of security measures.
5. Security Operation Centre (SOC)/ Managed Detection and Response (MDR): Consider a SOC/ MDR solution to monitor your digital assets. These solutions use advanced technology to actively hunt for threats and respond immediately if something suspicious is found. This includes figuring out what’s wrong, stopping the attack from causing harm, and fixing any damage.

Conclusion

The recent cyber security breach at Microsoft by the group Midnight Blizzard is a stark reminder that no organisation, big or small, is immune to cyber threats. This incident involved a simple yet effective techniques leading to unauthorised access to sensitive information. Just like Microsoft, your business could be targeted with relatively simple, yet brutally effective techniques leading to a significant impact to day-to-day operation, reputation and finances.

This makes it crucial to strengthen your defences and we recommend implementing a few effective controls outlined as above to drastically reduce the likelihood that you will become a victim of one of these breaches.

At TSG, we are committed to helping you implement these strategies effectively. By taking immediate action and leveraging our expertise, you can ensure your business remains secure from sophisticated cyber threats. Secure your operations now and maintain the trust of your clients and partners by being proactive about cyber security. Don’t hesitate to reach out for tailored solutions that address your specific security needs.

Finally, don’t forget that earlier this month we went live with the TSG Cyber Controls Training featuring 8 high-quality and easy to digest modules helping improve your business’ understanding of cyber security and what staff can do to help keep your business secure. The service can be accessed from the TSG Academy (https://tsg.academy).

Topics for this quarter include:

• • Understanding Cyber Security
  • Managing and Evaluating Business Risk
  • Understanding Cyber Security Controls
  • Understanding Cyber Security Threats
  • Business Continuity and Disaster Recovery
  • Multi Factor Authentication Best Practices
  • Supply Chain and the intersection of Cyber Security
  • Cyber Security Best Practices

How to access TSG Academy

Access is available to everyone in your organisation and you can sign-up at https://tsg.academy

If you’re already a member of TSG Academy:

• Log-in as normal and you will see a button that says TSG Cyber – you will be able to access the material from there.

Meet the TSG Cyber team