The Midnight Blizzard attack: How Seclore provides control “beyond the breach”.

Microsoft has been notifying organizations on its platform that it believes have been targeted by Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM.??

Seclore provides a layer of security that travels with your digital assets, even if those assets have been exfiltrated aka “beyond the breach.”?

Hewlett Packard Enterprise (HPE) disclosed a regulatory filing with the SEC stating that a threat actor believed to be Midnight Blizzard had previously gained unauthorized access to some of their systems, including access to mailboxes dated back to May 2023. HPE’s investigation concluded that another incident in June 2023, which involved access to SharePoint, was likely perpetrated by the same threat actors and may have been part of a longstanding campaign to gain access to company assets and communications. HPE has stated that the breach does not impact business operations or financials; however, the fact that the threat actors were able to gain and maintain access for such a prolonged period remains a source of concern for CISOs around the world.??

SharePoint may seem like a relatively innocuous target, but threat actors often use knowledge repositories like this to search for account names, credentials, secrets, or other inside information that can help them discover and compromise other systems or escalate existing privileged access. The MITRE ATT&CK framework specifically calls out SharePoint as a resource that can be used by threat actors to mine for valuable information. What we do know is that this attack reinforces the importance of the principle of least privilege. This principle applies beyond restricted accounts and identities that prevent attackers from easily accessing entire systems from a compromised identity, but also to knowledge repositories like SharePoint, where every account does not need access to all areas.?

Midnight Blizzard: Old, but successful tactics?

It is important to understand the tactics/techniques employed given the length of time the attack remained undetected. Publicly available reporting suggests that these attacks went undetected for approximately two months and given the lack of visibility that many organizations have around identity security and activity, this is common (average time to detection is 207 days). Most organizations are prepared to detect malicious code and known hacking tools but have a blind spot when it comes to classifying identities that represent the greatest risk or quarantining identities that have been compromised. It can also be exceedingly difficult to differentiate between an attacker using a compromised identity and a bona fide user.?

Midnight Blizzard's attack on Microsoft successfully leveraged two popular threat tactics:?

• Targeting legacy accounts - Targeting legacy, dormant, or test accounts and systems is a popular tactic for a range of threat actors, from nation-states to teen hacking crews, like LAPSUS$. For example, privileged test accounts might have been used during the initial setup of an application or system and never subsequently removed. This makes these account types a prized target for attackers.?
• Targeting dormant accounts - Threat actors like APT29 specialize in targeting dormant accounts with password attacks and then exploiting self-enrollment processes for multi-factor authentication (MFA) to add an authentication factor that is under their control. This gives malicious actors an identity that serves as excellent cover for access to other systems and information.?

Access escalation and establishing persistence.??

After gaining access to the compromised account, Midnight Blizzard used their access to create new malicious OAuth applications and compromise a legacy OAuth application with elevated privileges. They escalated the legacy application’s access further by granting it full access to Office 365 Exchange Online mailboxes. The threat actor consented to the malicious OAuth applications using a newly created user account. Using this access, the threat actor could view Microsoft email accounts belonging to senior staff members and exfiltrate corporate emails and attachments.?

How Seclore can help organizations regain control of similar attacks ensuring sensitive data is always protected, visibility is never lost, and policies are persistent.?

Let’s look at how Seclore can help you detect attempted access, protect sensitive data, and respond to this type of attack.??

Using Seclore, you can:?

Know your Risk?

• Receive data extraction activity alerts and block unauthorized access proactively.?
• See how and where (location) your sensitive digital assets are being accessed and receive alerts when unauthorized attempts are made to access data (by sensitivity level)?

Protect Sensitive Assets?

• Completely revoke access for offboarded employees, third parties, and suppliers?
• Dynamically Watermark digital assets?
• Restrict WHO can do WHAT from WHERE and WHEN?

?Control your Assets?

• Revoke access to emails & documents regardless of where they end up?
• Dynamically update access control for any asset, anytime, anywhere?
• Dynamically change classification, access, and security policy?

Let's take this a step further:

Investigate New or Suspicious Activity (attempted access) to Your Data.?

Seclore provides data risk insights that provide visibility into your organization’s risk at-a-glance. Organizations can explore key factors that contribute to increasing or decreasing risk, including data extraction activities, blocked unauthorized attempts, and how and where sensitive digital assets are being accessed. If user accounts are compromised, quickly audit and identify the classified data these users can access to better understand the risk exposure.?This can be the first step for forensic investigation post an attack or breach.?

Revoke Access to all Emails and Documents??

Seclore extends best-in-class Rights Management, so security now travels with email, data, or files. Seclore allows document/email/data owners to remotely shut off any access to classified emails and attachments associated with compromised user accounts. So, even with these compromised identities, your sensitive data remains secure, and hackers are not able to get any leverage against the organization. Seclore also provides a kill switch that would inactivate files with a click of a button. Post a breach or a hack, organizations can use this control to make the data unusable.?

Offboard Employees and Third Parties Completely.?

Seclore makes it easy to centrally define, modify, and audit granular usage controls including revoking access to all sensitive material no matter where documents/emails might be saved.??

For example, when employees leave your organization or you’re offboarding third-party suppliers, vendors, or anyone else with access to sensitive data, you no longer need to worry about their lingering SaaS (email, collaboration, documents) accounts that can provide bad actors with an entry point to your organization and camouflage their reconnaissance efforts.??

But I have DLP, CASB, and/or XDR today...do I need Seclore?

Seclore is different from DLP, CASB, and XDR technologies. ?Those solutions sit at data ingress/egress points and mostly observe, rather than protect, the data. Seclore places control(s) and strong security closest to what needs protection – the file – and binds them so safeguards travel everywhere with the file.?

Seclore’s Data-Centric Security Platform helps organizations gain visibility over all its most sensitive digital assets (files, emails, and documents), providing a clear picture of where unauthorized attempts, and abused privileges/entitlements are creating unnecessary risk to your organization no matter where data is being stored… even within third parties.

When all other security measures fail, Seclore provides organizations with the ability to revoke access. In the example above, both Microsoft and HPE could have quickly disabled access to all stolen emails and data so “possession” didn’t result in control. ??

Organizations don’t need to give up control when data intentionally (or unintentionally) leaves the perimeter. Rest assured that with Seclore protecting your most sensitive digital assets, you will have visibility into what’s happening and maintain control over what others can do with that data.?

Conclusion: How to neutralize modern cyber threats?

Regardless of the threat actor, if you can control and secure your data, you can stop or neutralize most modern cyber threats. Data is the common thread across attacks on all systems--from on-premises, to cloud, to SaaS. So, if you can protect data, know how data is being leveraged, and dynamically control access and permissions, you can safeguard the entire organization's data regardless of where the data might exist!?

Ready to learn more? Visit www.seclore.com

Credit: Seclore SE Organization