Understand how these attackers are operating and what their tactics mean for security strategies.
Microsoft announced earlier this month that Russian cyberattackers who breached their systems in January are now using credentials harvested in that earlier breach to continue their attacks. Known as Midnight Blizzard, these cyberattackers are linked to Russian Intelligence.
How did it happen
In January, Microsoft announced that Midnight Blizzard (group behind SolarWinds attack) had breached Microsoft corporate email accounts. Last week, they announced that the attackers are now using information collected during that breach to probe other systems.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems,” Microsoft said in its statement.
Important to note that Microsoft owns GitHub, a public repository of software code for various applications.
Security experts and analysts are sounding the alarm that these breaches could have widespread consequences, and that the fact that they have been going on for two months unabated is troubling.
What does it mean
Once again, exposed secrets have been used to mount a larger supply chain attack. These exposed secrets will potentially allow the attackers to create malicious payloads and send them to Microsoft customers disguised as legitimate Microsoft software.
This attack follows a very similar attack path as previous supply chain attacks we’ve seen, such as Solarwinds, Codecov, and others. Attackers use exposed secrets to move laterally throughout an organization's software supply chain to gain access to source code or build processes in order to steal intellectual property or mount larger attacks on downstream customers.
As of Friday, Microsoft was still trying to remove the attackers from their environments, but wouldn’t disclose what kinds of source code they had access to or whether the attackers have gained access to sensitive build tools within their software factories.
The fact that Microsoft has confirmed that the attackers have accessed source code is noteworthy. We at Legit frequently find sensitive secrets in source code. We can, therefore, assume the attackers have now unearthed more secrets, allowing for further lateral movement or other orchestrated attacks.
This puts Microsoft customers and users at very real risk of getting compromised through a Microsoft package that has been tainted by attackers until the extent of the access and source code compromised are known and the attackers have been removed from the environments.
What are the security implications
This attack highlights the very real need for secrets detection in not only source code, but also the development environment, build pipelines, log files, emails, and documentation files across the organization.
Additionally, it once again proves that the narrow focus of traditional application security tools, currently just focused on risk within the application or production environments themselves, leaves very real gaps in security across the software supply chain. These gaps can be exploited by malicious attackers to mount extensive and damaging attacks that affect both the compromised company and large amounts of downstream users.
We’ll update this post as this story unfolds.
