Posts in category: Technology

Microsoft on Friday revealed that the Kremlin-backed threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) managed to gain access to some of its source code repositories and internal systems following a hack that came to light in January 2024.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the tech giant said.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Redmond, which is continuing to investigate the extent of the breach, said the Russian state-sponsored threat actor is attempting to leverage the different types of secrets it found, including those that were shared between customers and Microsoft in email.

It, however, did not disclose what these secrets were or the scale of the compromise, although it said it has directly reached out to impacted customers. It’s not clear what source code was accessed.

Stating that it has increased in its security investments, Microsoft further noted that the adversary ramped up its password spray attacks by as much as 10-fold in February, compared to the “already large volume” observed in January.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” it said.

“It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

The Microsoft breach is said to have taken place in November 2023, with Midnight Blizzard employing a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

The tech giant, in late January, revealed that APT29 had targeted other organizations by taking advantage of a diverse set of initial access methods ranging from stolen credentials to supply chain attacks.

Midnight Blizzard is considered part of Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, the threat actor is one of the most prolific and sophisticated hacking groups, compromising high-profile targets such as SolarWinds.

“Microsoft’s breach by Midnight Blizzard is a strategic blow,” Tenable CEO Amit Yoran said in a statement shared with The Hacker News. “Midnight Blizzard isn’t some small-time criminal gang. They are a highly professional, Russian-backed outfit that fully understands the value of the data they’ve exposed and how to best use it to inflict maximum harm.”

“Microsoft’s ubiquity requires a much higher level of responsibility and transparency than what they’ve consistently shown. Even now they’re not sharing the full truth – for instance we don’t yet know which source code has been compromised. These breaches aren’t isolated from each other and Microsoft’s shady security practices and misleading statements purposely obfuscate the whole truth.”

Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could be potentially exploited to bypass authentication protections.

Tracked as CVE-2024-1403, the vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins,” the company said in an advisory released late last month.

“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”

Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.

The flaw has been addressed in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.

Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that’s invoked when a remote connection is made.

This function, in turn, calls another function called authorizeUser() that validates that the supplied credentials meet certain criteria, and passes control to another part of the code that directly authenticates the user if the provided username matches “NT AUTHORITY\SYSTEM.”

“Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages,” security researcher Zach Hanley said.

“We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort.”