Ride the Lightning

Microsoft Reveals Customer’s Nightmare: Six Sets of Hackers on Network

March 11, 2020

On March 10, ZDNet reported an astonishing story from Microsoft. Microsoft's first report from its Detection and Response Team (DART), which assists customers with cyber incidents, reveals the case of a large customer with six threat actors simultaneously on its network, including one state-sponsored hacker group that had been exfiltrating data and email for 243 days.

That took my breath away. We've never seen SIX!

Microsoft announced DART in March 2019 as part of its $1 billion a year foray into enterprise cybersecurity announced by CEO Satya Nadella in 2017.

Microsoft intends to publish regular updates about DART's activities, to illustrate how hackers are working, but without revealing the names of customers.

Its first report details an advanced persistent threat (APT) attacker that stole administrator credentials to penetrate the target's network and steal sensitive data and emails.

You will not be surprised to learn that the customer was not using multi-factor authentication (MFA), which could have prevented the breach. Microsoft has previously revealed that 99.9% of compromised accounts didn't use MFA, and only 11% of enterprise accounts use MFA.

DART was brought in after the customer had not been able to boot one attacker off its network after 243 days, despite having engaged an incident response vendor seven months earlier. The attacker was ejected on the day Microsoft's team arrived. One does have to wonder why the vendor couldn't do that. Microsoft also discovered five other hacking groups were inside the network.

In this case, the main attacker used a password-spraying attack to snatch the customer's Office 365 admin credentials and then scoured mailboxes to find more credentials shared among employees in emails. DART found the attacker was looking for intellectual property in certain markets, which is not an unusual objective of APT hackers.

The attacker even used the customer's e-discovery and compliance tools to automate the search for relevant emails. Very clever.

According to Microsoft, the company in the first month of the attack tried to handle the compromised Office 365 account itself, then brought in an incident-response vendor which led to what proved to be a long investigation.

"This investigation lasted more than seven months and revealed a possible compromise of sensitive information – pertaining to the victim and the victim's customers – stored in Office 365 mailboxes. 243 days after the initial compromise, DART was then brought in to work alongside the incident-response vendor and the company's in-house teams," Microsoft said.

"DART quickly identified targeted mailbox searches and compromised accounts, as well as attacker command-and-control channels. DART also identified five additional, distinct attacker campaigns persisting in the environment that were unrelated to the initial incident. They discovered these attackers had entered the environment even earlier to establish access channels (ie, back doors) for later use as needed."

Microsoft outlines five basic steps that organizations can use to minimize their exposure to APT attackers, including enabling MFA, removing legacy authentication, adequately training first responders, properly logging events with a security, information and event management product, and recognizing that attackers do use legitimate administrative and security tools to probe targets.

The lesson is clear: Customers should make use of available tools and ensure they are logging security events.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson