Posted: Saturday, February 10, 2024

Word Count: 3303

Reading Time: 15 minutes


TL;DR Summary
  • Microsoft’s Disclosure: Microsoft reports breach by the hacking group APT29.
  • Breach Details: APT29 Exploited test tenant account led to data exfiltration through OAuth apps and exfiltrated a small fraction of Microsoft corporate emails.
  • Microsoft’s Security Stance: No customer data or critical systems were compromised.
  • Microsoft’s Recommendations: Identify malicious apps, implement app access control, and audit accounts.
  • Additional Security Enhancements: Isolate environments, secure break glass accounts, employ strong authentication practices, and secure password vaults.

Introduction

On December 12th, 2023, Microsoft posted a blog warning of threat actors’ misuse of OAuth Applications as a method to automate attacks. The blog describes a group known as APT29 leveraging the attacks to gain access to financial organizations. The digital deviants compromise user accounts to modify privileges to OAuth applications. They then leverage those OAuth applications to hide their malicious activity. A month later, Microsoft fell victim to a similar exploit.

Now Microsoft isn’t some small bit player in the security space. In fact, many personal and corporate-owned assets rely on the security services Microsoft offers to protect them from evildoers. It would make sense to assume that Microsoft leverages the same security solutions to protect themselves.

It also seems like IT security is an exercise in futility when an organization such as Microsoft is breached. I mean, they’re in the business of security, and if they can be a victim, then certainly an organization focused on making sausage is done for, right? Well, not exactly.

Let’s discuss what happened at Microsoft, and how certain measures will prevent this from happening within your organization.

Who is APT 29

APT29 is a highly sophisticated and well-resourced cyberespionage group believed to be associated with the Russian government, specifically the Russian Foreign Intelligence Service (SVR). This group has been active since at least 2008 and is known for its advanced persistent threat (APT) activities, hence the name APT29.

They gained notoriety for its involvement in several high-profile cyber espionage campaigns. Particularly they’re known for their role in the 2016 breach of the Democratic National Committee (DNC). They are also linked to the infamous SolarWinds attack in 2020, a sophisticated supply chain attack that compromised numerous US government agencies and private companies.

Many Names, A Single Entity

APT29 has several aliases that you may have come across in the past. Each alias is related to either their origin or classify the sophisticated characteristics of their campaigns. APT29 is basically a master classification for what Western intelligence believes to be a large sophisticated entity

APT29 Aliases and Origins
Alias Origin/Description
Cozy Bear Reflects the group’s perceived Russian origin (‘Bear’) and their stealthy, sophisticated nature (‘Cozy’).
The Dukes Used to refer to the series of malware campaigns and phishing operations associated with APT29. Highlights their focus on long-term intelligence gathering.
Nobelium Named by cybersecurity researchers, particularly highlighted in the context of the sophisticated SolarWinds supply chain attack.
Midnight Blizzard Emerged during the reports of the Microsoft breach. Implies the stealth and sophistication of the group’s cyber operations.

APT29 is widely recognized by Western intelligence agencies and various cybersecurity firms as a Russian state-sponsored cyberespionage group. The group has been linked to the Russian Foreign Intelligence Service (SVR) based on multiple pieces of evidence, including hacked security camera footage analyzed by the Dutch intelligence service AIVD. This connection is further supported by assessments from security intelligence firms like CrowdStrike, which attribute APT29’s activities to either the SVR or Russia’s Federal Security Service (FSB).

The Microsoft Story

The breach dates back to late November 2023. The attackers utilized a password spray technique to compromise a legacy, non-production test tenant account.

Access to the test tenant lead to the breach of a legacy test OAuth application with elevated access within Microsoft’s environment. This allowed them to create and authorize additional malicious OAuth applications, granting them extensive access to mailboxes through the Office 365 Exchange Online ‘full_access_as_app’ role. The use of residential proxy networks by APT29 to hide their activities complicates the detection of such intrusions.

The breach led to the exfiltration of a small fraction of Microsoft’s corporate email accounts, including those of senior leadership and employees in cybersecurity, legal, and other departments. According to MS, APT29 seemed to be acutely interested in information related to themselves. Microsoft has emphasized that this incident did not result from vulnerabilities in their products or services and assured that there’s no evidence the attackers accessed customer environments, production systems, source code, or AI systems. The breach was a targeted attack, exploiting operational misconfigurations.

The breakdown

Let’s breakdown what occurred into bite sized chunks, add a little theory, to elaborate on what occurred.

Password Spraying

Password spraying is a type of cyber attack where the attacker attempts to access a large number of accounts with a few commonly used passwords, rather than trying many passwords on a single account. Password Spraying can be viewed as an evolutionary step from the traditional brute force attack. Spraying primarily avoids triggering account lockouts leveraged as a core security measure. By using widely used passwords across multiple accounts, attackers increase their chances of gaining unauthorized access without alerting the security mechanisms designed to detect and block suspicious activities. This method exploits the common practice of using simple, easily guessable passwords, making it crucial for organizations to enforce strong password policies and multifactor authentication to protect against such attacks.

Gaining access to test tenant

So password spraying got them access into the environment but into a test tenant. How does obtaining access to a non-production and non-critical environment lead to access to corporate resources? In Microsoft’s disclosure, APT29 gained access to a test legacy Oauth application that had access to their corporate IT environment. As with any large enterprise with boundless amounts of enterprise architecture, the is definitely technological real estate that lives longer than its usefulness, and even then, will remain running due to lack of oversight. These systems are the perfect target for malicious actors, as they are forgotten systems with some form of access to more critical systems.

Infiltration

Once the threat actor is in and has the rights, then they can initiate the malicious part. In the case of APTs, the goal is not destructive in nature, but in espionage and theft. The goal move through the environment silently and unnoticed while siphoning as much data as possible. In fact, the best APTs are the ones that are never reported.

In this case, APTs leveraged their privileges to create additional OAuth applications and eventually grant them ‘full_access_as_app' role. When an application is granted ‘full_access_as_app‘ rights, it essentially has the capability to read, send, delete, and manage email messages as well as view and manage calendar events, contacts, and tasks across all mailboxes in the organization. This level of access can be necessary for certain administrative, compliance, or operational tasks, but as you can see can also pose a security risk to the organization if abused.

Residential Proxies

Residential proxies are intermediary services that allow users to route their internet traffic through real residential IP addresses assigned by internet service providers to actual physical locations. This makes the user’s online activities appear as if they are originating from a different location, providing anonymity and the ability to bypass geographical restrictions or web scraping protections. Unlike data center proxies, which come from servers in data centers, residential proxies use IP addresses from personal internet connections, making them less likely to be detected or blocked by websites. They are particularly useful for tasks that require high levels of legitimacy, such as market research, ad verification, and accessing geo-specific content, by mimicking the behavior of a typical internet user in a specific region. Many folks simply use them to watch shows that are being geo-blocked in their region. Either way, residential proxies are leveraged to either mask the originator or bypass security measures.

The Impact

With this access, APT29 had the ability to steal the email contents from inboxes belonging to Microsoft executives and other employees. They were able to gain access to a small number of Microsoft’s corporate email accounts. These accounts included members of Microsoft’s senior leadership team as well as employees in key departments such as cybersecurity, legal, and other functions. The attackers used this access to obtain emails and attached documents. The initial focus of the attack appeared to be on gathering information related to APT29 themselves.

However, the size of a breach doesn’t matter. It depends on the criticality of the data that was abstracted. Considering executives and members within their cybersecurity team were affected, the odds are fairly high that they obtained information that Microsoft would prefer were kept secret.

Microsoft Recommendations

Microsoft makes a few solid recommendations to protect your organization from a similar attack.

Microsoft’s Recommendations for Protection Against Similar Attacks
# Recommendation Description
1 Identify Malicious OAuth Apps Use anomaly detection policies to identify unauthorized or malicious OAuth applications.
2 Implement Conditional Access App Control Apply conditional access app control for users connecting from unmanaged devices to ensure only authorized access.
3 Audit Accounts with Privileged Access Regularly audit accounts that have privileged access to sensitive data or systems.
4 Audit Identities Holding ApplicationImpersonation Privileges Specifically audit identities that have the ability to impersonate users in Exchange Online, ensuring they are legitimate.
Identify Malicious OAuth Apps

Detecting unauthorized or malicious OAuth applications is critical for preventing them from accessing sensitive data. These apps can abuse permissions to compromise user accounts and data. Azure provides several security solutions that can be used to monitor these activities.

Microsoft Entra Identity Protection

Microsoft Entra Identity Protection offers anomaly detection capabilities that can help identify potentially malicious OAuth apps by analyzing sign-in and user behavior analytics.

Microsoft Defender for Cloud

Defender for Cloud utilizes advanced analytics and global threat intelligence from Microsoft to detect unusual and potentially harmful attempts to access or exploit cloud resources. It identifies anomalies in your cloud environments by analyzing various signals and using built-in behavioral analytics and machine learning algorithms.

Other Solutions to Consider

There are other solutions that offer anomaly detection as well as additional security features that can enhance your organization’s security posture.

Solution Description and Use Case
Splunk Powerful platform for searching, monitoring, and analyzing machine-generated big data. Use Case: Aggregates data across sources for pattern and anomaly detection.
AWS GuardDuty Threat detection service that monitors for malicious activity in AWS. Use Case: Uses machine learning and threat intelligence to identify potential threats.
Google Cloud Security Command Center (Security Health Analytics) Advanced security analytics and threat detection for Google Cloud. Use Case: Provides insights into vulnerabilities and threats across Google Cloud services.
Palo Alto Networks – Cortex Comprehensive security platform with advanced threat detection. Use Case: Analyzes data to detect attacks and anomalies in real-time.
IBM QRadar SIEM solution providing intelligent insights for threat detection. Use Case: Analyzes log and flow data to detect anomalies and uncover advanced threats.
CrowdStrike Falcon Cloud-delivered endpoint protection offering threat hunting and response. Use Case: Leverages AI for real-time anomaly and threat detection.
Datadog Security Monitoring Monitoring service for applications, including security monitoring. Use Case: Uses anomaly detection algorithms for threat monitoring across applications and infrastructure.
Elastic Security Provides SIEM capabilities and endpoint security with machine learning. Use Case: Combines log analysis and endpoint security for detecting anomalies and threats.
Implement Conditional Access App Control

Many of the articles I’ve read mention enabling Multi-Factor authentication to protect against attacks such as these. Although, this is a great place to start, it certainly does not solve end the conversation. There will always be exemptions to the rule, where accounts need to bypass MFA for one reason or another.

Microsoft makes a fine point by stating the need to implement conditional access policies for app control as well. Natively, Azure AD Conditional Access provides granular control policies that enforce access requirements across Azure and Office 365 applications, such as requiring MFA or compliant devices for access.

Audit Accounts with Privileged Access

Regular auditing of privileged accounts helps ensure that only necessary personnel have high-level access and that any anomalous activities are quickly detected and mitigated. Azure AD Privileged Identity Management (PIM) enables access reviews, requiring users to acknowledge their continual need for the privileged access they are assigned. Actions based on non-responses or declinations can be performed automatically or manually.

Audit Identities Holding Application Impersonation Privileges

It’s important to monitor and audit any accounts that have the ability to impersonate other users, as this could lead to unauthorized access to sensitive data or systems. These are the accounts that get less attention from the average IT individual. They are typically treated as a set and forget type of account, but as you can see, they can be leveraged just as easy as a typical user account.

To that end, any account that’s created for the express use of an application should be recorded and audited consistently to ensure the account is not being leveraged maliciously.

Additional Security Measures

In addition to what Microsoft recommends, I would like to submit additional tactics to leverage to further protect against similar attacks.

Additional Conditional Access Policies
Trusted Sites

Additional conditional access policies can be established to ensure that certain countries of origin are blocked by default. However, with the use of residential proxies trusted locations have been effectively circumvented by most threat actors. If possible, leverage known and trusted IP blocks vs geo-matching IP blocks to grant access to sensitive environments.

For those accounts that require MFA bypass, conditional access can be applied to them as well. Only granting access if authentication is sourced from a trusted list of IPs. This limits the exposure to attacks if the account’s credentials are compromised in any way.

Isolate Test Environments

Nothing deemed test should touch or be able to touch production workloads on a continual basis. In the age of CI/CD we should be able to create isolated environments and deploy the code into increasingly sensitive environments without the need for them to communicate.

Audit break glass accounts

Wherever and however you store your break glass accounts ensure that they are stored in an area with limited access. Ideally, management and maybe a few members of your senior IT staff have any knowledge of it. Break-glass accounts are leveraged in times when traditional authentication measures are not working. The credentials for this account should be stored in a secured, encrypted location, and only a few in the organization should have access to view the account.


It’s arguable whether break-glass accounts should bypass MFA controls. Although unlikely, the odds of your MFA mechanisms failing are extremely low, however, they are not infallible. If they do fail, then even the break-glass account becomes useless if it isn’t exempted. There is the option of creating two emergency accounts: one that requires MFA and another that can bypass it. In that scenario the MFA-enabled account could be managed by the senior IT team members and the other can only be accessed by leadership. The table details additional recommendations for break glass accounts.

# Best Practice Description
1 Secure Storage Store credentials in a secure, encrypted location accessible only to a minimum number of authorized personnel.
2 Regular Audits and Reviews Conduct regular audits of the break glass account and its usage to ensure compliance with security policies.
3 Strong Authentication Use strong, unique passwords combined with multi-factor authentication (MFA) for additional security. If you choose to exempt MFA from your break glass account then I would recommend additional conditional access policies such as trusted devices or specific IPs listed in a trusted locations list. Additionally, split knowledge tactics can be employed as well.
4 Usage Monitoring and Alerting Monitor the use of break glass accounts and set up alerts for any access or usage to respond quickly to any unauthorized access.
5 Access Control Limit access to break glass accounts strictly to essential personnel and review the list regularly to ensure it’s up to date.
6 Documentation and Procedures Document procedures for using the break glass account, including when and how it should be used, and ensure the documentation is readily accessible to authorized users.
7 Password Rotation Rotate passwords regularly, and especially after every use, to minimize the risk of unauthorized access.
8 Training Provide training for personnel authorized to use the break glass account to ensure they understand the procedures and the importance of the account’s security.
9 Split Knowledge Divide the credentials into two parts and store them in different secure repositories. This technique further secures the credentials, but also adds additional overhead.
A few words on split knowledge

Also known as secret sharing, this method can indeed add an additional layer of security for managing highly sensitive information, such as break glass account credentials. Here’s how it enhances security and some considerations to keep in mind:

Enhancements to Security:
  1. Increased Access Control: By splitting the password and storing the parts in separate locations, unauthorized access becomes significantly more difficult. An attacker would need to compromise multiple systems or vaults to reconstruct the full password, which reduces the risk of total credential exposure from a single breach.
  2. Mitigation of Insider Threats: From my perspective, the purpose of secret sharing as it relates to this article is to ensure the password is not completely exposed in the event of a breach. However, it can also reduce the risk of insider threats because of the ability expose different segments of the password to different individuals. Meaning, no single individual would have access to the entire password. This necessitates collaboration among trusted individuals to assemble the full credential, adding a layer of checks and balances.
  3. Enhanced Audit Trails: Using multiple vaults can improve audit capabilities, as access to each part of the password can be logged and monitored separately, providing clear trails of who accessed which part of the secret and when.
Considerations and Overhead:
  1. Operational Complexity: Implementing this approach adds complexity to the emergency access procedure. Organizations must ensure that the process for retrieving and assembling the parts of the password is well-documented and understood by all relevant parties.
  2. Response Time: In an emergency, accessing the break glass account may take longer, as multiple vaults need to be accessed and the password parts assembled. This delay should be weighed against the security benefits.
  3. Key Management: Effective key management becomes crucial. Organizations must securely manage the access controls for each part of the password, including rotation, auditing, and revocation policies.
  4. Additional Security Measures: Despite the added security of splitting passwords, it’s still important to implement other security measures, such as multi-factor authentication (MFA) for accessing the vaults, to protect against unauthorized access.
  5. Regular Testing and Training: Due to the added complexity, regular testing and training become even more important to ensure that authorized personnel can access and assemble the password parts quickly during an emergency.

Conclusion

The Microsoft breach should be a wake-up call to many. Enterprises should step up their security game and implement measures. I’d also like to reiterate that Microsoft security products were not circumvented and should still be considered when considering security solutions. In fact, most breaches are not caused by failed security mechanisms, but by human error. It’s the 10-year-old server that the team is afraid to shut down or that elevated test account that was only supposed to exist for a few hours, but is still enabled years later.

It’s time to review the entire infrastructure and ensure all production environments, or environments with sensitive data, are secured. Non-production environments should be isolated from production data and workloads. You should assume that everyone is out to steal your data. Protect it accordingly.


Leave a Reply

Your email address will not be published. Required fields are marked *