How does a legacy test account grant access to read every Office 365 account?
The hackers who recently broke into Microsoft's network and monitored top executives' email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.
The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a "legacy non-production test tenant account" that wasn't protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams. A "pretty big config error"
In Thursday's post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft's Office 365 email service.
[...] Kevin Beaumont—a researcher and security professional with decades of experience, including a stint working for Microsoft—pointed out on Mastodon that the only way for an account to assign the all-powerful full_access_as_app role to an OAuth app is for the account to have administrator privileges. "Somebody," he said, "made a pretty big config error in production."
(Score: 3, Insightful) by Mojibake Tengu on Monday January 29 2024, @04:53AM (2 children)
So, whoever they are, they found your fancy corporate controlled backdoor for rent to agencies...
And what exactly did you expected?
Rust programming language offends both my Intelligence and my Spirit.
(Score: 3, Interesting) by Runaway1956 on Monday January 29 2024, @07:48AM (1 child)
I don't see the problem here. I give root privileges to all my test accounts. Searx engine has root, my virtual machines have root, I just spread root around so I can do anything from anywhere. On Windows, I give 'guest' root too! It makes life so much easier. /sarcasm
Ooops. I guess that Microsoft did away with 'guest'. Win11 won't even allow me to create a new account named guest. It will allow me to create a new account with no password, however. Hmmmm . . . yep, I can make that account an administrator without a password. That's Microsoft security for you!! After a half-hearted feeble search, it seems that Win7 was the last version to ship with an enabled guest account.
https://www.howtogeek.com/779862/how-to-create-a-guest-account-on-windows-11/ [howtogeek.com]
I find that all a bit humorous, because I always deleted guest accounts on every machine I administered in real life.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by Gaaark on Monday January 29 2024, @10:47PM
They gave the account 'guest' to the NSA: teh dingo is eating yo' baby. ;)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Insightful) by Rosco P. Coltrane on Monday January 29 2024, @07:12AM (2 children)
You're entrusting your data to Microsoft, whose track record for code quality and security has rightfully been an object of ridicule for many decades. And true to itself, Microsoft is as competent as it's ever been, and continues to prove it on a regular basis.
Are you scared yet? Because you bloody well should be...
(Score: 2, Funny) by Anonymous Coward on Monday January 29 2024, @07:45AM (1 child)
The Cloud is as secure as running your code on someone else's computer has ever been.
(Score: 4, Funny) by Opportunist on Monday January 29 2024, @11:57AM
Cloud, English, noun: Fluffy looking puff of intangible water vapor you can't touch or control
Klaut, German, verb, imperative plural of "klauen": Order to a group of people to steal something
Can't say it ain't language-agnostic, its function can be well understood in at least two.