While helping a "large mult-national" customer deal with a state-sponsored attack group which had been stealing data and email for about eight months, Microsoft’s incident response team uncovered five other threat actors operating simultaneously on the network.
The state-sponsored group had gained unauthorized access to the network after stealing Office 365 administrator credentials, Microsoft’s Detection and Response Team (DART) wrote in its first case report. The company initially attempted to remediate the compromised Office 365 account on its own, and then engaged an incident response vendor to handle the investigation. DART was brought in about 240 days later.
Microsoft announced DART in March 2019 and said it would regularly publish case studies of DART’s investigations as a way to illustrate attacker operations. This first case study highlighted the importance of multi-factor authentication and turning on logging and auditing.
The attack group used a password spray attack—where attackers run through a large number of common passwords to see if one of them works—to gain the company’s Office 365 administrator credentials. Once in, the group searched other mailboxes for emails sent by employees containing credentials for other accounts. The attackers used the customer’s existing e-discovery and compliance tools to automated the search for these email messages.
“By ‘living off the land’ and easing its workload, the attacker found ways to turn on existing features that the customer had implemented, but was not actively using or had not turned on,” the report said.
The group specifically searched for emails in certain regions and market segments, suggesting the attackers were interested in stealing intellectual property for specific markets.
While identifying compromised accounts and command-and-control channels used by the attack group, DART found “five additional, distinct attacker campaigns” also in the network. Unrelated to the attack group, these additional attackers had breached the network even earlier and installed backdoors for their own purposes.
The customer was not gathering logs from high-value systems, so “could not see the APT group’s attack coming,” the report said. “This was a big factor in the adversaries’ ability to exploit attack opportunities in the company’s environment.”
Defenses That Work
Microsoft outlined five things that could have helped the customer minimize the scope of this attack, including turning on multi-factor authentication, removing legacy authentication, training incident responders, and logging events.
Multi-factor authentication could have blocked the initial attack, as the attack group would not have been able to use password spraying to obtain administrator credentials. Microsoft has said in the past that enabling multi-factor authentication on user accounts blocks 99.9 percent of all account compromises.
At RSA Conference, Microsoft engineers Lee Walker and Alexander Weinert said that 99.9 percent of the compromised accounts the company tracks every month don’t have multi-factor authentication enabled. If multi-factor authentication had been turned on, most of these automated accounts would have been blocked.
Password spraying was the most common attack method against the compromised accounts, Walker and Weinert said. The second most common method was password replays, when an attacker takes credentials leaked for another account and tries it against a Microsoft account. The attack works when users reuse usernames and passwords.
"We know that 60 percent of users reuse passwords. It's super common," said Walker.
In the DART report, the team recommended disabling legacy authentication protocols so that attackers can’t use them to bypass multi-factor authentication. Legacy authentication protocols, such as SMTP, IMAP, and POP, do not support multi-factor authentication, so keeping them around provides attackers with a potential entry point.
Walker and Weinert said 99 percent of all password spraying attacks and 97 percent of password replay attacks used legacy authetnication protocols. They claimed a 67 percent reduction in account compromises for organizations who disabled legacy protocols.
Logging should be turned on for all systems, and the logs should be aggregated, such as through a security information and event management (SIEM) product. Having logs helps defenders look for anomalous behavior, and can also see when legitimate tools and software are being used in unexpected ways. Logs allow “unauthorized activation or use of these systems to be noticed and investigated as soon as possible.”
“Multi-factor authentication, conditional access, and enabling logging cannot be optional,” Microsoft DART said in the report.