US agencies caught sharing credentials with Microsoft over e-mail
Russia-linked hackers behind the attack on Microsoft’s internal systems stole credentials for US federal agencies that could be used to compromise government departments, cyber authorities said.
The Cybersecurity & Infrastructure Security Agency (CISA) issued an emergency directive on 2 April requiring federal agencies to reset credentials and hunt for potential breaches or malicious activity. The deadline to report these actions to CISA was 8 April.
“Agencies have moved with extraordinary urgency to remediate any instances of potentially exposed credentials,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said Thursday during a media briefing. “At this time, we are not aware of any agency production environments that have experienced a compromise as a result of credential exposure.”
Microsoft and several federal agencies exchanged credentials via e-mail, which created the unacceptable risk and exposure to a malicious group, according to CISA. Goldstein declined to say why the credentials were shared in these cases, but noted logins are sometimes shared as part of a troubleshooting ticket or as part of a code snippet to remediate an issue.
“That is certainly not a best practice and is one that does associate with a significant degree of risk,” Goldstein said.
The Russia state-sponsored threat group which Microsoft identifies as Midnight Blizzard, also known as APT29 or Cozy Bear, was still using secrets it stole from Microsoft’s systems in late November to gain or attempt to gain further access to the company’s infrastructure last month, the company said in a filing with the Securities & Exchange Commission.
The nation-state group was known as Nobelium when it initiated the Sunburst attacks and SolarWinds and other companies in 2020.
CISA declined to quantify how many agencies Microsoft notified of potential exposure or which agencies were required to comply with the emergency directive.
“We would assess the potential for exposure of federal authentication credentials to the Midnight Blizzard actor does pose an exigent risk to the federal enterprise,” Goldstein said.
The US government is still leaning on Microsoft to assist with remediation support and the ongoing investigation into what’s at risk, despite the web of exposure and potentially compromised position engulfing an untold number of federal agencies.
“Agencies are doing the analysis based upon information from Microsoft to assess whether, in fact, credentials may have actually been exposed or accessed. That analysis is ongoing,” Goldstein said.
Midnight Blizzard’s persistence and, in some cases, expanding attack against Microsoft underscores the tech giant’s need to overhaul its internal security practices.
CISA’s emergency directive was issued the same day the Cyber Safety Review Board released a damning report about a “cascade of security failures at Microsoft” that allowed a China-affiliated threat group to compromise Microsoft Exchange accounts in May 2023.
That attack by a nation-state group Microsoft identifies as Storm-0558 compromised e-mails of 22 organisations and more than 500 individuals, including senior US officials. Microsoft has yet to determine the root cause of that intrusion, the CSRB said in the report.
“CISA and the broader US government are working closely with Microsoft in alignment with the recommendations of the Cyber Safety Review board to drive further progress in Microsoft’s improvement plans for their broader security culture and enterprise,” Goldstein said.
News Wires
Subscribers 0
Fans 0
Followers 0
Followers