22 comments

[ 5.0 ms ] story [ 49.3 ms ] thread
I am Jack's complete lack of surprise.

First it was "a very small percentage of Microsoft corporate email accounts" (their C-suite executives and security teams) and "To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems."

Then it was "access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."

And now this.

Yes, a total own. So will they rebuild from scratch?
Probably better to patch the current system than create a new one with potentially new unknown vulnerabilities.
Rebuild what exactly? From an article back in January: The company said the hackers used a "password spray attack"

This wasn’t necessarily a technical vulnerability.

> So will they rebuild from scratch?

Are you suggesting they'll suddenly have a fit of competence?

That would be super surprising for everyone. Including themselves.

> This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor

My interpretation is that they are notifying customers who corresponded with compromised Microsoft accounts, not that they are saying customer-use email systems were compromised. Do you read that differently?

(comment deleted)
Enterprise inertia is a hell of a thing. I have no idea how you can otherwise justify using Azure with their security track record.
Microsoft does make good products internally, but by the time these make into public machines it is the same old garbage users and Marketing demanded.

After a while you will stop caring too... it happens to everyone eventually. =3

Employer: find me a cloud to do stuff

Employee: Microsoft gives us a 50% "discount" vs the competition but they may get hacked easier.. incentive brain mode: if i save 50%, I may get a raise. If MS gets hacked, then "everyone suffers, so it's not like I'll get the blame for this decision"... Azure 100%!!!

I'm not terribly sure if it's really more MS lack of security posture vs. being a big target as they hold a lot of juicy government targets, etc.. so my comment isn't really to beat up on MS because who knows the key flaw that got them inside yet?

> MS lack of security posture

It's definitely their lack of security posture. Their being a big target also doesn't help, but their shithouse attitude and practises is probably their main problem.

This was a targeted attack on internal systems at Microsoft, not some breach of Azure, as far as I understand.
Yes, but will the enterprise world flinch an eye? Whoever chooses microsoft for their enterprise stuff do not care about security, as long as it’s not their direct fault directly in cases of customer data breaches they feel safe: “oh, Microsoft got hacked not us”. It’s like nobody gets fired for buying IBM all over again.
(comment deleted)
Just a reminder that new versions of Microsoft Outlook store your password and email data on their servers, even when using a non-Microsoft server.
Yikes. I use outlook for work. If it gets hacked I couldn’t care less, it’s on my employer between security policies and how they decided to use MS stuff. Personally, I would never trust MS with any my own stuff.
I've never understood how it's determined that it's a Russian hacking group that did this or any cyber attack. If it's so well understood what a Russian attack looks like, wouldn't it be trivial to make any attack look Russian? And if it's not so clear what a Russian-specific attack looks like, how can we be so confident all the time that it's undoubtedly Russian?
Oceania was always at war with Eastasia...

Just blaming public enemy of the day. Knowing who actually did it I difficult and not really important either.

I think that's BS because if I Google that exact question it tells me how. You don't understand because you either don't want to understand or haven't taken any time at all to research the topic.

It's also not always Russia, there were two cyber attack headlines yesterday and neither appeared to be state actors.

Google tells me it's complicated and there's no sure-fire way to know, and that effectively every single accusation of origin is only an estimation, which reinforces my original point that these attacks are stated factually as Russian instead of "forensic experts of unknown bias has some reason to believe it may be Russian of origin, but there is also evidence it could be other actors or actors trying to come across as Russian". But that doesn't make for as nice of a narrative.
It is based on various attribution factors. But since it is typically easier to point at the currently hated scapegoat and be done with it, the quality of these attribution factors leaves much to be desired.

E.g. https://blog.sekoia.io/noname05716-ddosia-project-2024-updat...

"The decision not to mandate VPN usage in Russia, especially given their statement “it is extremely unlikely that there will be any problems”, suggests a possible collaboration between the NoName057(16) group and the Russian state."

I imagine you've also heard of attributions like "Cyrillic layout" (used all over eurasia) or "IP pool associated with a Russian AS" (as if VPS renting isn't a thing or commodity routers in Russia aren't hackable and can't be forced into a botnet)

I imagine the attribution factors were something along "we saw IPs associated with Russian ISPs and cloud providers" or "parts of their infra were accessible from Russia without using VPN".