{"id":23814,"date":"2024-01-29T04:30:06","date_gmt":"2024-01-29T12:30:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/01\/29\/news-17544\/"},"modified":"2024-01-29T04:30:06","modified_gmt":"2024-01-29T12:30:06","slug":"news-17544","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/01\/29\/news-17544\/","title":{"rendered":"Russia hacks Microsoft: It\u2019s worse than you think"},"content":{"rendered":"

<\/p>\n

Another day, another hack of Microsoft technology. Ho-hum, you might think, this has happened before and will happen again \u2014 as surely as the sun rises in the morning and sets at night.<\/p>\n

This time is different. Because this time the targets weren\u2019t Microsoft customers, but rather the top echelons of Microsoft itself<\/a>. And the hacker group, called Midnight Blizzard, or sometimes Cozy Bear, the Dukes, or A.P.T. 29, is sponsored by Russia\u2019s Foreign Intelligence Service<\/a> (and has been since at least 2008).<\/p>\n

And this time, the hack might persuade the federal government to finally take a harder line against Microsoft\u2019s and Windows\u2019 continuing vulnerabilities.<\/p>\n

To understand why, let\u2019s start with look at the hack itself.<\/p>\n

Hacked by a simple, basic trick<\/strong><\/p>\n

Midnight Blizzard is well known for its sophisticated cyberattack capabilities, including the Solar Winds supply-chain attack<\/a> in which it broke into the company, which offers system management tools used for network and infrastructure monitoring, and embedded malware into Solar Winds\u2019 software. That malware was then distributed to thousands of the company\u2019s customers, among them eight or more federal agencies, including the US Department of Defense, Department of Homeland Security, and the Treasury Department, and tech and security firms, including Intel, Cisco, and Palo Alto Networks.<\/p>\n

Microsoft said that hack was \u201cthe most sophisticated nation-state cyberattack in history.<\/a>\u201d The hack also involved infiltrating Democratic National Committee servers, stealing emails and documents, and releasing them publicly.<\/p>\n

This time around, though, Midnight Blizzard didn\u2019t have to build a sophisticated hacking tool. To attack Microsoft, it used one of the most basic of basic hacking tricks, \u201cpassword spraying.\u201d In it, hackers type commonly-used passwords into countless random accounts, hoping one will give them access. Once they get that access, they\u2019re free to roam throughout a network, hack into other accounts, steal email and documents, and more.<\/p>\n

In a blog post<\/a>, Microsoft said Midnight Blizzard broke into an old test account using password spraying and then used the account\u2019s permissions to get into \u201cMicrosoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions,\u201d and steal emails and documents attached to them.<\/p>\n

The company claims the hackers initially targeted information about Midnight Blizzard itself, and that \u201cto date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.\u201d<\/p>\n

As if to reassure customers, the company noted, \u201cThe attack was not the result of a vulnerability in Microsoft products or services.\u201d<\/p>\n

That should reassure no one. Midnight Blizzard succeeded because Microsoft violated two basic cybersecurity rules: Make sure all accounts use powerful passwords, and close all unused accounts. If the company can\u2019t follow such simple rules, you might wonder whether it can be trusted to protect its customers against hacking.<\/p>\n

And note that Microsoft didn\u2019t promise Midnight Blizzard hasn\u2019t used its access to break into its customers\u2019 networks, or even more frightening, into its AI systems. It only said that \u201cto date\u201d it\u2019s found no evidence of that, and that it\u2019s still investigating.<\/p>\n

Why this is more than just a black eye<\/strong><\/p>\n

The hack, especially because it was accomplished so easily, is a black eye for Microsoft. But it\u2019s even worse. It comes after a series of high-profile hacks of Microsoft technologies that angered the feds so much they\u2019ve been looking into Microsoft\u2019s security protocols.<\/p>\n

The Washington Post writes<\/a>: \u201cGovernment officials and outside security experts have repeatedly called out weak authentication requirements, test accounts and the ease in creating new accounts as major holes in Microsoft service protections\u2026. Friday\u2019s disclosure also comes during investigations by the Department of Homeland Security\u2019s cyber safety review board and others into lapses in Microsoft security that allowed Chinese government hackers to steal unclassified email from top US diplomats ahead of a summit between the two nations last year.\u201d<\/p>\n

At a speech at Carnegie Mellon University last year, Cybersecurity and Infrastructure Security Agency Director Jen Easterly criticized Microsoft<\/a> because only about a quarter of its enterprise customers use multifactor authentication. It\u2019s exceedingly rare that federal officials publicly target companies that way.<\/p>\n

At around the same time, the Biden Administration released a new National Cybersecurity Strategy<\/a> that calls on tech firms and private industry to follow best security practices such as patching systems to fight newly found vulnerabilities and using multifactor authentication whenever possible.<\/p>\n

An accompanying fact sheet warns: \u201cPoor software security greatly increases systemic risk across the digital ecosystem and leave American citizens bearing the ultimate cost. We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.\u201d<\/p>\n

This latest Microsoft hack seems to be a textbook case of violating that strategy. But the strategy requires legislative action if it\u2019s to have teeth, and when it comes to regulating tech, Congress is decidedly hands-off. At the moment, violating the strategy appears to get you little more than a finger-waving \u201cshame on you.\u201d<\/p>\n

That inaction isn\u2019t likely to last forever. Republicans and Democrats have both made tech companies their latest whipping boy. And Microsoft, which gets billions of dollars in federal contracts<\/a>, including $150 million to improve cloud security, could eventually see some of its contracts cancelled if it doesn\u2019t even adhere to the simplest of cybersecurity precautions. (Sen. Ron Wyden (D-OR), has already threatened he might do just that<\/a>.)<\/p>\n

This latest hack of Microsoft could just be the thing that makes Congress finally take action.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

Another day, another hack of Microsoft technology. Ho-hum, you might think, this has happened before and will happen again \u2014 as surely as the sun rises in the morning and sets at night.<\/p>\n

This time is different. Because this time the targets weren\u2019t Microsoft customers, but rather the top echelons of Microsoft itself<\/a>. And the hacker group, called Midnight Blizzard, or sometimes Cozy Bear, the Dukes, or A.P.T. 29, is sponsored by Russia\u2019s Foreign Intelligence Service<\/a> (and has been since at least 2008).<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11067,10516,8698,714,24580,10525],"class_list":["post-23814","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-government-it","tag-microsoft","tag-regulation","tag-security","tag-small-and-medium-business","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23814"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23814\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23814"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}