idea
List of security breaches.
2024-01-xx - Microsoft / Midnight Blizzard access to email
Midnight blizzard is an ongoing security attack by a state-sponsored Russian hacker group. This only relates to access to emails in early 2024
Impact:
- Corporate credentials: access to corporate emails[1] , usable to access other systems, including customer systems[5]
- Corporate assets: code repositories[1], internal systems[1].
- No customer data[4]
Who: Microsoft v. nation state hacker group (Russian state-sponsored, called NOBELIUM)
How:
- Password spray: Accessed a demo tenant[6] through password spray
- Non prod application with inadequate access to prod systems: Account accessed in (1) had high-elevation privileges to the corporate MSFT tenant, which allowed hacker to create additional accounts and elevate these to full access to Exchange[7], then use these to access corporate accounts.
- Sharing secrets on non-secure channels: Hacker discovered and used secrets shared with executives on corporate email accounts[5].
Anecdotal:
- I got woken up at 3AM on 2024-02-21 to rotate app credentials as part of a company-wide Sev-1 to do so.
Ref:
[1]: Microsoft MSRC 2024-03-08: Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard
[4]: Microsoft MSRC 2024-03-08:
To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.
[5]: Microsoft MSRC 2024-03-08:
Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.
[6]: Microsoft Security 2024-01-25: Midnight Blizzard: Guidance for responders on nation-state attack
Midnight Blizzard utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled.
[7]: Microsoft Security 2024-01-25:
Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications.
The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.
Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts.
2024-05-29 - Ticketmaster / breach
Impact: Data leak: 500M users impacted, PII data leak (name, phone, address, email), order history, financial data (CC L4, expiry date). 1.3 Tb of data [^2].
Who: Ticketmaster v. independent hacker group (ShinyHunters)
How: Unknown.
Anecdotal:
- data set on sale for $500k [^2].
- ticket master paid $10M to SongKick in 2020 for gaining unauthorized access to their competitor[2]
Ref: [2]: Mashable: Ticket master hacked
[3]: HN: Discussion on HN