Key Detection Indicators of Midnight Blizzard's Attack on Microsoft Decoded by Splunk

Insights provided by Splunk researchers offered an in-depth look into the tactics, techniques, and procedures (TTPs) employed by the Russian threat actor Midnight Blizzard, (aka. APT29, Cloaked Ursa, Cozy Bear, BlueBravo, The Dukes) in their November 2023 compromise of Microsoft. The Splunk Threat Research Team expanded upon Microsoft advisory and additional contributions from security researcher Andy Robbins, and pieced together the attack chain for the benefit of cybersecurity defenders. The attack as disclosed by Microsoft in January 2024, commenced with a password spray attack, successfully breaching a non-production test tenant account lacking multifactor authentication (MFA).

This initial breach allowed Midnight Blizzard to exploit two significant vulnerabilities: an authentication bypass and a path traversal flaw, which are critical vulnerabilities posing a direct threat to confidential data and critical systems. The research emphasizes the necessity to monitor for signs of password spray attacks, such as high login failures, especially if the failures originate from a single IP address, and examine failures within a short timeframe. Error code 50126 is identified as helpful in both the Unified Audit Log and Entra ID logs. Scrutinizing application configuration changes, particularly updates to certificates and secrets managers, is crucial as it can serve as a means to achieve elevated access. Splunk threat researcher, Mauricio Velazco, explains in the blog "Once the credentials were added, the adversary had to authenticate as the Service Principal associated with the application registration to utilize its permissions. It's important to note that by default, the Unified Audit Log only logs user interactive authentication events and does not include service principal authentication."

Following this initial access, the actors escalated their privileges by compromising a legacy test OAuth application with elevated access. Detection engineers are advised to watch for modifications to application registration objects and authentication as the Service Principal, actions that could signify unauthorized access attempts. Furthermore monitoring the ‘Add member to role’ and ‘Update application’ events within the M365/Entra ID ecosystem can aid in detecting potential privilege escalation and persistence mechanisms employed by the attackers. Bursts of configuration changes can serve as vital indicators of potential compromise.

Identifying a potential detection gap, Velazco discussed the likelihood of the threat actors "bypassing normal consent procedures" by programmatically altering permissions using the legacy application's service principal privileges, a method which would not have triggered standard 'Update Application' or 'Consent to Application' events. This approach, validated through replication using Microsoft Graph PowerShell SDK, necessitates that detection engineers monitor the 'Add app role assignment to service principal' event for insights into unauthorized permission assignments, demonstrating the importance of scrutinizing service principal activities to identify non-standard permission alterations.

The detection blueprint offered by Splunk of the Midnight Blizzard attack on Microsoft is a valuable guide for defenders to monitor for signs of compromise. It outlines the sophisticated methods employed by state-sponsored actors to infiltrate and persist within targeted networks and offers actionable detection strategies. Simple password spray attacks continue to be effective and are employed by state-sponsored threat actors, including APT28, APT33, and Lazarus, among others. The compromise of Microsoft's systems is evidence of the urgent need to address weak passwords within organizational defenses. These seemingly rudimentary tactics continue to pose significant threats, compelling organizations to prioritize enhancing their security posture by addressing the foundational issue of weak password practices.