Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in significant SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS applications and their delicate info is critical but is not quick. Frequent danger vectors these as innovative spear-phishing, misconfigurations and vulnerabilities in 3rd-occasion application integrations reveal the sophisticated security problems going through IT methods.

In the circumstance of Midnight Blizzard, password spraying towards a test setting was the original attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a prior breach at Okta, a SaaS identification security service provider.

What Just Transpired?

Microsoft Midnight Blizzard Breach

Microsoft was qualified by the Russian “Midnight Blizzard” hackers (also recognised as Nobelium, APT29, or Cozy Bear) who are joined to the SVR, the Kremlin’s international intelligence assistance unit.

In the Microsoft breach, the threat actors:

Employed a password spray strategy on a legacy account and historic check accounts that did not have multi-aspect authentication (MFA) enabled. In accordance to Microsoft, the threat actors “[used] a low selection of makes an attempt to evade detection and steer clear of account blocks dependent on the quantity of failures.”

Leveraged the compromised legacy account as an first entry issue to then hijack a legacy test OAuth application. This legacy OAuth application experienced higher-degree permissions to accessibility Microsoft’s company setting.

Designed destructive OAuth apps by exploiting the legacy OAuth app’s permissions. Due to the fact the risk actors controlled the legacy OAuth application, they could retain entry to the programs even if they lost entry to the in the beginning compromised account.

Granted admin Exchange permissions and admin credentials to on their own.

Escalated privileges from OAuth to a new consumer, which they controlled.

Consented to the malicious OAuth apps applying their newly produced user account.

Escalated the legacy application’s obtain further more by granting it complete entry to M365 Exchange On the web mailboxes. With this access, Midnight Blizzard could check out M365 email accounts belonging to senior workers customers and exfiltrate corporate emails and attachments.

Recreation of illustration by Amitai Cohen

Cloudflare-Atlassian Breach

On Thanksgiving Working day, November 23, 2023, Cloudflare’s Atlassian systems were also compromised by a nation-point out attack.

This breach, which began on November 15, 2023, was produced doable by means of the use of compromised credentials that had not been changed pursuing a prior breach at Okta in October 2023.

Attackers accessed Cloudflare’s inner wiki and bug database, enabling them to perspective 120 code repositories in Cloudflare’s Atlassian instance.

76 source code repositories linked to crucial operational technologies have been possibly exfiltrated.

Cloudflare detected the menace actor on November 23 since the menace actor connected a Smartsheet services account to an admin team in Atlassian.

SaaS Security GuideCan Your Security Group Watch 3rd Get together Apps? 60% of Groups Are unable to

Assume your SaaS security is major-notch? Appomni surveyed over 600 worldwide security practitioners, and 79% of gurus felt the exact same – nevertheless they faced cybersecurity incidents! Dive into the insights of the AppOmni 2023 Report.

Study How You Can

Risk Actors Ever more Goal SaaS

These breaches are component of a broader pattern of country-point out actors focusing on SaaS provider providers, which include but not restricted to espionage and intelligence accumulating. Midnight Blizzard formerly engaged in important cyber operations, which includes the 2021 SolarWinds attack.

These incidents underscore the value of constant monitoring of your SaaS environments and the ongoing risk posed by innovative cyber adversaries focusing on critical infrastructure and operational tech stack. They also emphasize important vulnerabilities related to SaaS id administration and the requirement for stringent 3rd-social gathering app risk management tactics.

Attackers use popular strategies, methods and strategies (TTPs) to breach SaaS providers by the pursuing eliminate chain:

Original obtain: Password spray, hijacking OAuth

Persistence: Impersonates admin, makes excess OAuth

Protection Evasion: Remarkably privileged OAuth, no MFA

Lateral Movement: Broader compromise of connected apps

Facts Exfiltration: Get privileged and delicate information out of apps

Breaking the SaaS Get rid of Chain

Just one powerful way to crack the destroy chain early is with continual monitoring, granular policy enforcement, and proactive lifecycle management around your SaaS environments. A SaaS Security Posture Management (SSPM) platform like AppOmni can enable with detecting and alerting on:

Preliminary Entry: Out-of-the-box guidelines to detect credential compromise, which includes password spraying, brute power attacks, and unenforced MFA policies
Persistence: Scan and discover OAuth permissions and detect OAuth hijacking
Protection Evasion: Access plan checks, detect if a new id company (IdP) is produced, detect permission modifications.
Lateral Motion: Keep track of logins and privileged access, detect harmful combos, and have an understanding of the blast radius of a potentially compromised account

Be aware: This expertly contributed post is created by Beverly Nevalga, AppOmni.

Uncovered this posting attention-grabbing? This write-up is a contributed piece from a single of our valued companions. Stick to us on Twitter  and LinkedIn to study extra distinctive information we publish.

Some parts of this article are sourced from:

thehackernews.com