Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know

Feb 13, 2024The Hacker InformationSaaS Safety / Information Breach

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms in regards to the vulnerabilities inherent in main SaaS platforms. These incidents illustrate the stakes concerned in SaaS breaches — safeguarding the integrity of SaaS apps and their delicate information is vital however just isn’t straightforward. Frequent risk vectors corresponding to subtle spear-phishing, misconfigurations and vulnerabilities in third-party app integrations exhibit the advanced safety challenges dealing with IT programs.

Within the case of Midnight Blizzard, password spraying towards a check setting was the preliminary assault vector. For Cloudflare-Atlassian, risk actors initiated the assault through compromised OAuth tokens from a previous breach at Okta, a SaaS id safety supplier.

What Precisely Occurred?

Microsoft Midnight Blizzard Breach

Microsoft was focused by the Russian “Midnight Blizzard” hackers (also referred to as Nobelium, APT29, or Cozy Bear) who’re linked to the SVR, the Kremlin’s international intelligence service unit.

Within the Microsoft breach, the risk actors:

1. Used a password spray technique on a legacy account and historic check accounts that didn’t have multi-factor authentication (MFA) enabled. In response to Microsoft, the risk actors “[used] a low variety of makes an attempt to evade detection and keep away from account blocks primarily based on the quantity of failures.”
2. Leveraged the compromised legacy account as an preliminary entry level to then hijack a legacy check OAuth app. This legacy OAuth app had high-level permissions to entry Microsoft’s company setting.
3. Created malicious OAuth apps by exploiting the legacy OAuth app’s permissions. As a result of the risk actors managed the legacy OAuth app, they might preserve entry to the functions even when they misplaced entry to the initially compromised account.
4. Granted admin Alternate permissions and admin credentials to themselves.
5. Escalated privileges from OAuth to a brand new consumer, which they managed.
6. Consented to the malicious OAuth functions utilizing their newly created consumer account.
7. Escalated the legacy software’s entry additional by granting it full entry to M365 Alternate On-line mailboxes. With this entry, Midnight Blizzard may view M365 e mail accounts belonging to senior workers members and exfiltrate company emails and attachments.

Recreation of illustration by Amitai Cohen

Cloudflare-Atlassian Breach

On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian programs have been additionally compromised by a nation-state assault.

1. This breach, which began on November 15, 2023, was made attainable by using compromised credentials that had not been modified following a earlier breach at Okta in October 2023.
2. Attackers accessed Cloudflare’s inner wiki and bug database, enabling them to view 120 code repositories in Cloudflare’s Atlassian occasion.
3. 76 supply code repositories associated to key operational applied sciences have been probably exfiltrated.
4. Cloudflare detected the risk actor on November 23 as a result of the risk actor related a Smartsheet service account to an admin group in Atlassian.

Menace Actors More and more Goal SaaS

These breaches are a part of a broader sample of nation-state actors concentrating on SaaS service suppliers, together with however not restricted to espionage and intelligence gathering. Midnight Blizzard beforehand engaged in important cyber operations, together with the 2021 SolarWinds assault.

These incidents underscore the significance of steady monitoring of your SaaS environments and the continuing threat posed by subtle cyber adversaries concentrating on vital infrastructure and operational tech stack. In addition they spotlight important vulnerabilities associated to SaaS id administration and the need for stringent Third-party app threat administration practices.

Attackers use frequent ways, methods and procedures (TTPs) to breach SaaS suppliers by the next kill chain:

1. Preliminary entry: Password spray, hijacking OAuth
2. Persistence: Impersonates admin, creates additional OAuth
3. Protection Evasion: Extremely privileged OAuth, no MFA
4. Lateral Motion: Broader compromise of related apps
5. Information Exfiltration: Seize privileged and delicate information out of apps

Breaking the SaaS Kill Chain

One efficient option to break the kill chain early is with steady monitoring, granular coverage enforcement, and proactive lifecycle administration over your SaaS environments. A SaaS Safety Posture Administration (SSPM) platform like AppOmni may also help with detecting and alerting on:

• Preliminary Entry: Out-of-the-box guidelines to detect credential compromise, together with password spraying, brute power assaults, and unenforced MFA insurance policies
• Persistence: Scan and establish OAuth permissions and detect OAuth hijacking
• Protection Evasion: Entry coverage checks, detect if a brand new id supplier (IdP) is created, detect permission modifications.
• Lateral Motion: Monitor logins and privileged entry, detect poisonous mixtures, and perceive the blast radius of a probably compromised account

Notice: This expertly contributed article is written by Beverly Nevalga, AppOmni.