Last week, CNBC gave me a chance to discuss Microsoft’s Friday-night news dump of a new breach by Russian intelligence services, in which I called for more details from Microsoft so that other organizations could defend themselves.
On Jauary 25th, we gained a bit more transparency in the form of a blog post from “Microsoft Security”, the commercial security division of Microsoft. Let me offer some reactions.
Microsoft Buries the Lede
“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”
Translation: Since the techniques outlined in the blog only work on Microsoft-hosted cloud identity and email services, this means that other companies were compromised using the same flaws in Entra (better known as Azure Active Directory) and Microsoft 365.
Microsoft’s language here plays this up as a big favor they are doing the ecosystem by sharing their “extensive knowledge of Midnight Blizzard” when, in fact, what they are announcing is that this breach has affected multiple tenants of their cloud products.
Microsoft Continues to Downplay the Attack By Abusing the Term “Legacy”
One of the big open questions from last week was how an attack against a “legacy non-production test tenant” could lead to access to the emails of key Microsoft executives. We get a bit more detail in this paragraph:
“Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.”
I have seen this fundamental problem in multiple investigations, including the one that Microsoft worked so hard to label as the Solarwinds Incident*: AzureAD is overly complex, and lacks a UX that allows for administrators to easily understand the web of security relationships and dependencies that attackers are becoming accustomed to exploiting.
In many organizations, AzureAD is deployed in hybrid mode, which combines the vulnerability of cloud (external password sprays) and on-premises (NTLM, mimikatz) identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence.
Calling this a “legacy” tenant is a dodge; this system was clearly configured to allow for production access as of a couple of weeks ago, and Microsoft has an obligation to secure their legacy products and tenants just as well as ones provisioned today. It’s not clear what they mean by “legacy”, but whatever Microsoft’s definition it is likely to be representative of how thousands of their customers are utilizing their products.
Microsoft does, however, offer all of us some solution…
Microsoft is Using Its Own Security Flaws as an Opportunity to Upsell
These sentences in the blog post deserve a nomination to the Cybersecurity Chutzpah Hall of Fame, as Microsoft recommends that potential victims of this attack against their cloud-hosted infrastructure:
“Detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.
Investigate compromised accounts using Microsoft Purview Audit (Premium).
Enforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain Services.”
Microsoft is using this announcement as an opportunity to upsell customers on their security products, which are apparently necessary to run their identity and collaboration products safely!
This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts. It has become clear over the past few years that Microsoft’s addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases.
While these two arrogant and circumspect posts do, at least, admit “the urgent need to move even faster” in securing their products, I would argue that Microsoft has a much deeper cultural problem to solve as the world’s most important IT company.
They need to throw away this poisonous idea of security as a separate profit center and rededicate themselves to shipping products that are secure-by-default while providing all security features to all customers. I understand the need to charge for log storage or human services, but we should no longer accept the idea that Microsoft’s basic enterprise offerings (including those paid for by the US taxpayer) should lack the basic features necessary to protect against likely attacks.
My current employer competes against some of these products, but if Microsoft did a better job by default then that would actually reduce the need for SentinelOne and other security vendors to provide basic safety protections.
For all the language about the sophistication of the SVR hackers behind this attack, there is nothing here that is outside the norm for ransomware groups attacking Microsoft technologies, and Microsoft customers of all sizes should be concerned that these techniques will be deployed against them if they do not pay extra for the secure version of Microsoft’s cloud products.
Twenty one years after the Trustworthy Computing memo, it’s once again time for some soul searching in Redmond.
* While the breach of Solarwinds was a critical part of the SVR campaign to break into around 200 organizations, weaknesses in the deployed configuration of AzureAD also played an important role, which Microsoft effectively papered over in their Congressional testimony and written statements.