Microsoft Says Russian Hackers Breached Its Systems, Accessed Source Code

Earlier this year Microsoft disclosed that Russian state-sponsored actors, Midnight Blizzard, had breached its corporate email servers via a password spray attack, allowing the actors to gain access to a legacy non-production test tenant account. The tech giant noted that this test account did not have multi-factor authentication and had access to an OAuth application with elevated access to Microsoft’s corporate environment, enabling the actors to further access and exfiltrate data from corporate mailboxes, including members of Microsoft's leadership team and employees in the cybersecurity and legal departments. In an update last Friday, Microsoft stated that the actors are now using secrets found in the stolen data to gain access to some of the company’s source code repositories and internal systems.

Security Officer Comments:
Microsoft did not particularly state what type of secrets were stolen. These secrets were allegedly found in emails between customers and Microsoft, so this could include authentication tokens, API Keys, or credentials, which the actors could use for further access to other systems and resources. Microsoft says that it has begun contacting customers whose secrets were exposed in the latest breach. Currently, the tech giant has no evidence to conclude that Microsoft-hosted customer-facing systems have been compromised.

Suggested Corrections:
Microsoft has observed an increase in the volume of password spray attacks employed by Midnight Blizzard, as much as 10-fold in February, compared to January 2024. In general, to defend against such attacks, organizations should employ strong passwords that include a combination of uppercase/lowercase characters, numbers, and symbols. Organizations should also identify and change default passwords and routinely rotate credentials every 90 days to prevent actors from using compromised login details in breaches for further access. Implementing multi-factoring authentication is also crucial, as having an additional layer of security will make it difficult for actors like Midnight Blizzard to breach systems and accounts.