Microsoft released a warning earlier this month after filing a report with the U.S. Securities and Exchange Commission that an attack it discovered in January turned out to be worse than it initially believed. That, in itself, is not that unusual. Hacks RARELY get better with age.
Microsoft has admitted that the bad actors got access to Microsoft source code and internal systems.
Obviously, Microsoft has been and will continue to be a high priority target of nation-state actors. Also, given the size of Microsoft’s operation, it is almost impossible for them to be perfect.
Chris Krebs, former director of CISA who was fired by ex-president Trump for saying that there was no major election fraud in 2020, said this:
“Any way you cut it, the threat is very real and very serious, and the prevailing view across the national security community seems to be that Microsoft is hanging on by a thread,”
Hopefully, that is a bit dramatic given how dependent we are on Microsoft and the reality is that Apple and Linux are not much better.
Microsoft attributed the attack to a Russia-backed group they call Midnight Blizzard.
Here is the thing.
The hackers used a password-spray attack, pretty close the the most basic attack method short of rattling doorknobs, to get into a “legacy, non-production test tenant account”. THEN THEY WERE ABLE TO MOVE LATERALLY AND GAIN ACCESS TO IMPORTANT STUFF.
Could they have injected malware? Stolen source code? Gained access to production systems? Are they now using the stolen code to look for attack vectors? Did they add back doors?
While you can’t make yourself bulletproof, you can definitely make yourself bullet-resistant and most organizations are not even pellet-gun resistant.
Why?
Because SECURITY IS INCONVENIENT.
That is a fair assessment, but, as Change Health or Equifax learned the hard way, convenience can be pretty inconvenient too.
Do you want to have to clean up after an attack?
When Marriott bought Starwood Hotels it took them four years to discover that the hackers were in their systems stealing data. How much damage could hackers do to you in four years if they were covert about it?
The longest successful penetration that I am aware of lasted 12 years. Before the company went bankrupt and was sold, basically, for scrap. That was Nortel Networks.
How did they get in and do their damage? They compromised the CEO. They would much prefer to compromise executives. They have access to way more data and way more systems and many times think that security does not apply to them. Marissa Mayer, former CEO of Yahoo famously said that she was not going to put a password on her phone because that would be inconvenient. That was right before Yahoo had to take a $500 million haircut to the price of their sale to Verizon. And retain a lot of liability too.
There are many things that companies can do that they are not doing. Some cost money. Some do not. Some are inconvenient. Some are not.
But if you are not actively asking the questions at the EXECUTIVE SUITE and BOARD level – well then those people are not doing their jobs.
If this scares you, please give us a call.
Credit: Data Breach Today