In January 2024, Microsoft discovered they'd been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn't a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.
Password spraying: A simple yet effective attack
The hackers gained entry by using a password spray attack in November 2023, Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to a legacy non-production test account within the Microsoft system which provided them with an initial foothold in the environment. This account either had unusual privileges or the hackers escalated them.
The attack lasted for as long as seven weeks, during which the hackers exfiltrated emails and attached documents. This data compromised a 'very small percentage' of corporate email accounts, including those belonging to senior leadership and employees in the Cybersecurity and Legal teams. Microsoft's Security team detected the hack on January 12th and took immediate action to disrupt the hackers' activities and deny them further access.
However, the fact that the hackers were able to access such sensitive internal information highlights the potential damage that can be caused by compromising even seemingly insignificant accounts. All attackers need is an initial foothold within your organization.
The importance of protecting all accounts
While organizations often prioritize the protection of privileged accounts, the attack on Microsoft demonstrates that every user account is a potential entry point for attackers. Privilege escalation means that attackers can achieve their goals without necessarily needing a highly privileged admin account as an entry point.
Protecting an inactive low-privileged account is just as crucial as safeguarding a high-privileged admin account for several reasons. First, attackers often target these overlooked accounts as potential entry points into a network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalating their privileges and accessing sensitive information.
Second, inactive accounts are often neglected in terms of security measures, making them attractive targets for hackers. Organizations may overlook implementing strong password policies or multi-factor authentication for these accounts, leaving them vulnerable to exploitation. From an attacker's perspective, even low-privileged accounts can provide valuable access to certain systems or data within an organization.
Defend against password spray attacks
The Microsoft hack serves as a wake-up call for organizations to prioritize the security of every user account. It highlights the critical need for robust password protection measures across all accounts, regardless of their perceived significance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for compromised passwords, organizations can significantly reduce the risk of being caught out in the same way.
- Active Directory auditing: Conducting regular audits of Active Directory can provide visibility into unused and inactive accounts, as well as other password-related vulnerabilities. Audits provide a valuable snapshot of your Active Directory but should always be complemented by ongoing risk mitigation efforts. If you're lacking visibility into your organization's inactive and stale user accounts, consider running a read-only audit with our free auditing tool that gives an interactive exportable report: Specops Password Auditor.
- Robust password policies: Organizations should enforce strong password policies that block weak passwords, such as common terms or keyboard walks like 'qwerty' or '123456.' Implementing long, unique passwords or passphrases is a strong defense against brute-force attacks. Custom dictionaries that block terms related to the organization and industry should also be included.
- Multi-factor authentication (MFA): Enabling MFA adds an authentication roadblock for hackers to overcome. MFA serves as an important layer of defense, although it's worth remembering that MFA isn't foolproof. It needs to be combined with strong password security.
- Compromised password scans: Even strong passwords can become compromised if end users reuse them on personal devices, sites, or applications with weak security. Implementing tools to continuously scan your Active Directory for compromised passwords can help identify and mitigate potential risks.
Continuously shut down attack routes for hackers
The Microsoft hack underscores the need for organizations to implement robust password protection measures across all accounts. A secure password policy is essential, ensuring that all accounts, including legacy, non-production, and testing accounts, aren't overlooked. Additionally, blocking known compromised credentials adds an extra layer of protection against active attacks.
Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your Active Directory. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.
The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, equals a much more comprehensive defense against the threat of password attack and the risk of password reuse. Speak to expert today to find out how Specops Password Policy could fit in with your organization.