It’s February 9, 2024 and time for Point of View Friday where we cover a single topic from multiple perspectives. Today’s point of discussion is the recent large-scale Microsoft breach. We have perspectives from Trac Bannon in Camp Hill, Pennsylvania, Olimpiu Pop in Transylvania, Romania and Shannon Lietz in San Diego, California. We’ll start with Katy Craig also in San Diego, connecting the dots between the HPE breach and Microsoft.

 

Point of View Friday: Recent large-scale Microsoft breach

 

Katy Craig
After HPE, MSFT has a breach too?!

Today we’re connecting the dots between two major cyber incidents, the recent Hewlett-Packard, enterprise HPE breach, and the earlier attack on Microsoft by the notorious Russia-linked hacking group, Cozy Bear.

This is Katy Craig in San Diego, California.

Cozy Bear, also known as APT29 or Midnight Blizzard is infamous in cybersecurity circles. They’ve been linked to significant attacks like the 2016 Democratic National Committee breach and the 2019 solar winds attack. This group is widely believed to be sponsored by the Russian government.

On Wednesday, HPE revealed a breach in its cloud-based email system as disclosed in a filing with the U.S Securities and Exchange Commission. The company was notified on December 12th that Cozy Bear had accessed and exfiltrated data from its email environment starting in May 2023.

This news follows Microsoft’s disclosure that the same group breached some of their corporate email accounts, including those of senior leadership and cybersecurity teams. Microsoft’s breach involved a password spray attack on a legacy account leading to the compromise of information related Cozy Bear.

Considering the timing and the similar targets, cybersecurity and business teams, it’s plausible that the Microsoft breach either led to or contributed to the HPE breach. Cozy Bear could have leveraged information from Microsoft’s breach to orchestrate the attack on HPE. HPE spokesperson, Adam R. Bauer stated that the full extent of the breach, including the number of affected mailboxes, is still under investigation. The data accessed is believed to be limited to the information in the user’s mailboxes.

These incidents highlight the interconnected nature of cybersecurity threats. A breach in one major company can have cascading effects on others, especially when dealing with sophisticated state-sponsored actors like Cozy Bear. It’s a sobering reminder of the importance of robust cybersecurity measures and the need for vigilant monitoring of digital environments.

This is Katy Craig. Stay safe out there.

Resources
– The Register: What Microsoft’s latest email breach says about the IT giant

– Yahoo.com: HPE says it was hacked by Russian group behind Microsoft email breach

– CPO Magazine: Russian State Sponsored Hackers Behind Microsoft’s Corporate Email Security Breach

 

Tracy (Trac) Bannon
What can the software architects do to prevent the an MSFT like breach

Everybody’s favorite attack target, Microsoft, has been struck again. Are you at risk?

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

The latest breach at Microsoft by the Russian group Midnight Blizzard, or Nobelium, demands attention. The breach used a password spray to access a test tenant. It compromised a small portion of Microsoft’s emails, including those of top leaders and cybersecurity staff. The goal was not money or even customer data. It was to learn what Microsoft knew about them so they could improve their own defenses.

This breach strikes at software architecture’s core. It shakes our trust in top-level information security. It challenges our security practices for both production and testing systems. It forces us to look back at our legacy systems.
From an architectural standpoint, this breach raises alarms. It questions the security of non-production systems. It warns of potential network breaches. It stresses the need for strong access controls, data compartmentalization, secure configurations, and continuous monitoring.

These measures must detect and respond to threats and minimize damage from breaches. The breach accessed top executives emails. It took emails and documents. This harms trust and reputation. It underlines the need for secure communication, encryption, and data loss prevention in software architecture.

The security breach challenges Microsoft’s credibility as well. The company is a trusted security provider. Customers expect the highest security standards. Microsoft’s response is crucial. Quick, transparent action can mitigate damage. Restoring trust, however, depends on stronger security measures.

This breach reveals a changing threat landscape. It shows the persistence of resource-rich nation-state actors. It stresses the need for threat intelligence and software architecture. We must defend against advanced adversaries. We must be comprehensive, agile, and robust. Our strategies must adapt to these sophisticated threats. They must protect legacy systems and secure a wide range of data.

So here’s your call to action.

After the Microsoft breach, every technical organization must act , audit and strengthen your security now. Secure production and non-production areas. Use strong access controls and continuous monitoring . Add advanced threat intelligence to your software. This will protect your data and keep the trust of your partners.

Something to Noodle on.

 

Olimpiu Pop
The MSFT breach proves that cybersecurity legislation needs to be enforced on us?

“The company has not yet determined whether the incident is reasonably likely to materially impact the company’s financial condition or results of operation,” reads the summary of the SEC feeling provided by Microsoft after yet another Russian-led hack. Who’s behind the attack? Midnight Blizzard, also known as Nobilium or Cozy Bear, the old friend who hacked Microsoft twice since 2020.

Hey, it seems that Redmond is an open house for hacker groups. Lapsus$, hoodlooms and China Snoops have also busted through Redmond’s digital perimeter. They stole source code, a private cryptographic key government messages, and other important supposedly secret stuff. More than that, the stolen Microsoft security key was used by China to break into US government email accounts.

Wait! A Microsoft Spokesperson shared something to make us sleep better at night. The breach was not a result of a vulnerability in any of its products. Phew. That was close. At least the stock market seems to believe the story as the company’s stock is trading at record highs.

Now let me put back the hard hat of the technical person. I have to disagree that Microsoft can be exonerated about the attack. Even if the products used are downstream libraries or products, I’m still responsible for the privacy and the data safety of my customers. And that makes me think that the ongoing efforts in the cyber security legislations are important. When the big boys who are writing the books on security and carving new directions are affected, we have to admit we need the rules to be enforced on us.

Think about the supply chain security. You need to know what you’re using to provide the best quality for the users. Especially when you are selling security products yourself. If you have the label, the software bill of material in this case, it should be harder to ignore the danger.

Following the security basic recommendation is of utmost importance. The breach was caused by a missing multi-factor authentication on a staging environment. Given that emails and documents that should be accessible, just the senior management of the company got exfiltrated. It is not a good enough excuse. That it was just a test environment.

Under Satya Nadella’s rule, Microsoft seemed to have created a new image: slick, embracing the open source and AI trends.

But even if we are dreaming about clouds and a world with private virtual assistants, we still have to be careful about the skeletons in the closet that might come hunting us. Even if we look at the horizon line, make sure we know what we are stepping on.

Olimpiu Pop reported from Transylvania Romania.

Resources
– The Register: https://www.theregister.com/2024/01/24/microsoft_latest_breach_cozy_bear

https://www.theregister.com/2023/07/21/microsoft_key_skeleton/

https://www.theregister.com/2022/03/21/microsoft_lapsus_breach_probe/

https://www.theregister.com/2023/10/31/sec_charges_solarwinds_sunburst_fraud/

https://www.theregister.com/2023/09/06/microsoft_stolen_key_analysis/

 

Shannon Lietz
Mother of All Breaches

Hi, this is Shannon Lietz from San Diego, California reporting on the Win-Lose-or-Draw of the “Mother of All Breaches”, twenty-six billion records. That’s what we’re all here talking about today. The question is, what do you really have to consider? That sounds pretty horrible in the first place. But when it comes down to it, that’s a multi-year engagement by an adversary. What do we need to consider for it. Here’s how I think about it.

From a win perspective, you might highlight the “Mother of All Breaches”, you might start thinking about it strategically, and if you get app-based, MFA and credential resets out of it, that’s a win.

If nothing happens from talking about it, folks are already overwhelmed by security, I’d say that’s a draw. And it’s a draw because it means that your environment, your organization, is still trying to figure out how to keep up with what they have and move forward. It is quite simply put potentially a compliance versus security issue.

And from a lose perspective, if you try to make this the epicenter of reason, the single biggest crisis that you can think of to try and push a program forward, it’s very likely that it’ll result in a lack of credibility.

Why? After many years of getting all of this data accumulated, yes, there is a concern we should all have. The data’s out there, it can be used to go after identity issues, and at the same time, that simply just means we’ve gotta get better at creating better identity and access levers.

I particularly think of controls around something that you have can’t just be a phone number these days. That’s just not enough.
And I, it needs to be something that we really do consider a big threat. But at the same time, I stand by the analysis from a Win-Lose-or-Draw perspective. The biggest benefit here is to really work within your organization to try and make it an app-based MFA push.

This is Shannon Lietz reporting on the Win-Lose-or-Draw. Stay strong. See you out there.

 

Mark Miller: Thanks for listening to Point of View Friday. If you like, what you heard, please subscribe to It’s 5:05 on your favorite podcast platform. It’s 5:05 is a Sourced Network Production based in New York City. This is your host, Mark Miller. Have a good weekend.