Home
Blog
Research
July 18, 2024
8
min read

Identifying Midnight Blizzard and other password spray attacks using Command Zero

For identifying Midnight Blizzard or any password spraying attack in your environment, there are multiple paths you can take with Command Zero: 1) Tracking unusual application consents 2)Tracking password spraying attempts 3)Tracking MFA failures 4) Tracking new or re-activated user accounts. As with all investigation flows, these flows can be saved as facets to drive speed and consistency across individual analysts or analyst teams.

investigations
research
identity investigations
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

What is Midnight Blizzard?

In today's rapidly evolving cyber landscape, security analysts and Security Operations Centers (SOCs) face an overwhelming challenge: operationalizing threat intelligence. Despite having access to a wealth of data, turning this information into actionable insights remains a daunting task. The sheer volume of threats, the sophistication of attacks, and the need for real-time responses create a perfect storm of complexity and urgency. Security operations teams often drown in alerts, struggling to differentiate between noise and genuine threats. Earlier in the year Microsoft released details of a Threat Actor (Midnight Blizzard) along with guidance and Tactics, Techniques and Procedures (TTPs).  

A lot has been written about this attack vector so far, here are some quick facts:  

  1. A Russia-linked threat actor primarily targeting US and European governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers.
  1. Attackers gain access to target systems primarily through password spray, then using OAuth applications to target corporate email accounts.  
  1. Multiple methods of obfuscation to avoid detection.  

This post demonstrates how to operationalize threat intelligence about Midnight Blizzard (also known as NOBELIUM) using Command Zero. As a result, your analyst team can quickly determine accounts which may be targets for this group as well as other similar attack patterns.  

How to identify Midnight Blizzard in your environment

Operationalizing threat intelligence becomes even more challenging when atomic indicators of compromise are not available. As infrastructure becomes more readily available and disposable, coupled with the endless amount of VPN and Proxies, it makes atomic indicators less valuable. Behaviors however, are harder to change, but sometimes also hard to identify.  

Diverse attack patterns and obfuscation make identification difficult

Consider the scenario where the Midnight Blizzard attackers exploit a legitimate account without MFA, employ defense evasion tactics and create new cloud accounts which match your organization's naming convention. Moving beyond initial access and privilege escalation, they aim to establish persistence, broader access, and further exploitation mechanisms. The attackers then create a malicious OAuth application, diversifying their access points within the target environment. This calculated effort involves setting up multiple backdoors, ensuring redundancy so that if one application is discovered and neutralized, others remain active.

Many of the threat intelligence write ups (Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard and Wiz’s blog post on Midnight Blizzard are good examples) excluded or specifically stated the lack of value in sharing the residential VPN exit nodes used by the attacker due to the diversity thereof. This complicates the defenders' task of not only eradicating the attackers' presence but identifying them in the first place.

Manual steps to discover Midnight Blizzard

Investigating the tactics of the Midnight Blizzard group requires reviewing data from several different sections, or 3 different portals, as outlined by Microsoft's detailed guidance. Analysts are advised to start by reviewing applications in Azure Entra ID, identifying applications that may contain legacy based authentication methods which may be susceptible to exploitation or take over, as well as a general review of any suspicious OAuth applications that may serve as backdoors.  

Next, scrutinizing user accounts in Entra ID to detect any unauthorized access or account creation that could indicate a deeper compromise, including reviewing accounts in the organization without MFA enrollment.  The investigation should then extend to examining UAL and Entra logs for application consent and role assignment activities, which can reveal attempts by attackers to gain broader permissions or establish persistence.  

Finally, reviewing mailbox permissions in the Exchange Portal helps uncover any unauthorized access or delegation that could facilitate data exfiltration or further exploitation.  

Of course, these steps can be completed manually or with PowerShell, that is if you are familiar with it and have the appropriate permissions. Alternatively, you can identify these TTPs in minutes using a single investigation platform. Let’s explore how the same investigation can be done using Command Zero.

Spotting Midnight Blizzard and similar attacks using Command Zero

The most obvious indicator of a breach or incident is an alert from a security product. However, investigations can start from several places. These include casual observations of activity that seems “off” during a review of a SharePoint site, a user complaint or discovered patterns during a threat hunt.  

No matter where you start the investigation, Command Zero’s curated content allows an analyst to start from any point of reference and work from there. Analysts can ask pre-built questions on Command Zero to interrogate various systems and get to answers quickly. These answers can be executed for broad date/time ranges for discovery, or for short date/time ranges to identify specific patterns. In this blog post, we will cover four potential paths analysts can use to identify Midnight Blizzard, or any similar password spray attack in their environments.

Path 1: Tracking unusual application consents

We know Midnight Blizzard achieves initial access through password spraying, other major indicators of attack are cloud-based application consents.  

Command Zero can be used to review all existing applications and new application consent grants by users. The former is part of the hunting question set for Entra and is aimed at giving analysts a quick picture with promotable leads of all applications in their organization. For this example, we can start the investigation with the following question:  

“What application registrations exist in Microsoft Entra ID?”

Reviewing application registrations within a time frame helps identify suspicious new applications.
Analysts can review all registered applications in a table view, filter and dig deep into suspicious patterns.

The answer data set contains a lot of interesting data patterns. Here are the best practices to make the most of these data:  

  • Examine the permissions granted to each application, ensuring they align with the principle of least privilege.  
  • Pay special attention to any applications with elevated permissions or those requesting access to sensitive data.  
  • Investigate the application's history, including its installation date, update frequency, and any recent changes to its configuration or permissions.  
  • Additionally, review user consent activities and logs to detect any unusual or unauthorized approvals.  
  • Analyzing the application's source and reputation, along with monitoring for any known vulnerabilities or reported incidents, is also essential.

In the case of Midnight Blizzard, threat actors granted their malicious OAuth application the Office 365 Exchange Online 'full_access_as_app' role, allowing the app to access all Exchange mailboxes. Evidence of this role grant can be discovered using the following Command Zero hunting question:

“What app role assignments were added to service principals in Microsoft Entra ID?”

Reviewing role assignments uncovers over-permissive roles that are frequently used by attackers.

Once we identify applications of interest (which had service principals added in the focused time frame in question), they can be promoted to an investigation. We can then identify activities such as who authorized or installed the application and what permission changes have been made. We can follow up with this question: 

"What app role assignments did this user add to service principals in Microsoft Entra ID?"

Role assignment view with details of each new role.

Of course, through an additional hunting question, we’re also able to review applications which have had a certificate or secret that have been updated in the tenant.

Updated secrets and certifications are tell-tale signs of an attacker solidifying their foothold in an environment.

Starting with an application review leads us to discover new user accounts, and the compromised user who authorized the application in the first place. This highlights the flexibility of Command Zero and the dynamic nature in which investigations can unfold. That flexibility allows an analyst, from different starting questions, to discover additional, pertinent information, initial attack vector, actions performed post compromise and more. Another way to identify Midnight Blizzard is to spot the attackers’ initial access to your environment.

Path 2: Tracking password spraying attempts

For Midnight Blizzard, the first step in gaining access were  password spray attacks against user accounts. Password spraying is most effective when targeting users who do not have MFA enabled. So, our first order of business should be to find all user accounts without MFA enabled.  

Using the hunting question “What users do not have any multi-factor authentication methods registered in Microsoft Entra ID?”, analysts can easily obtain a list of all users which do not currently have MFA enabled and enforced.

Finding users without MFA enabled can help identify potential targets for successful password spray attacks.

Executing this question returns a list of users without MFA enabled. Allowing analysts to add these users as leads to an investigation.

Users who don't have MFA enabled require a thorough view of their successful and failed logins.

Reviewing the organization for potential targets for threat actors is one thing, but determining if any of those risks materialized is another.

Additional questions targeted at these vulnerable leads (users without MFA) can provide a view of risk exploitation.

The most obvious sign of active password spraying is the production of an alert by your identity provider indicating such an attack is occurring. This activity may also trigger an account lockout if the environment is configured to do so. The problem with these indicators isn’t a lack of alerts. It is an abundance of these alerts and not enough cycles to investigate all alerts manually. How often do organizations investigate these types of alerts? I recall my time as an administrator, we often blocked the IP, did a quick password reset for the user and moved on since the occurrence was so frequent. And running thorough investigations manually would take hours per alert. How long does it take you to run investigations for similar user alerts with your current tooling?

The Command Zero Platform offers two questions to import alerts dealing with user accounts that have either been locked out through policy or triggered an event that Microsoft Analytics determined to be risky. These questions are:  

"What users were locked out by Microsoft Entra smart lockout?"

"What users with risky sign-in activity were detected by Microsoft Entra ID Protection?"

Digging into users with risky sign-ins, locked out accounts and failed sign-ins.

This question offers a starting point on investigations which can be automated, and both are available to execute in Command Zero from either Alert Manager, or as hunting questions.  I vividly recall dealing with quite a few lock outs during my time as an administrator, and I recall it happening so often that they rarely got a second look or investigation. These lock outs can be valuable indicators for serious attacks, and they deserve your attention.

Path 3: Tracking MFA failures

Let's go broader and look at activity in our organization. How often does an MFA failure occur in a typical organization? And when it happens, how often is your security team reviewing each of these?  

The question we’ll ask to get the initial data set is simple:  

"What users have failed a multifactor authentication (MFA) challenge?"

In our lab, this question produced two results for the focused time frame, both originating from the same IP address. These users and IPs can now be promoted in the investigation and further scrutinized.  

Getting to suspicious IPs used in failed logins. These IPs will require further investigation.

There are a number of questions we can ask surrounding sign-ins from that IP, and several more surrounding failures.

Getting more granular with additional questions on suspicious user activity.

The answers to these questions will provide a list of leads which can be used for additional scoping and validation. Cross-referencing the leads discovered from these results with those provided by the prior question narrows the scope to highly suspicious leads. Once we identify suspicious IPs, we can interrogate them with more direct questions such as: 

"What Microsoft Entra sign-in activity originated from this IP Address?"

NAT aside, multiple accounts trying to sign in from a single IP is a red flag.

With a larger scale password spraying attack, the volume of failures can be quite high. Using the table view on Command Zero’s investigation workbench, each column can be filtered for failures vs success, but we should also focus on the successful logins to see if attackers gained access as a result of these attempts:

"What users have successful logins from this IP?"

Analysts can filter out known NAT IPs and focus on suspicious IPs with multiple logins.

Continuing that track, we can view the users impacted and cross reference that against our list of MFA Failures and accounts without MFA for further investigations.

If users impacted are a match with the user list without MFA enabled, we have a high confidence list of potential victims.

Path 4: Tracking new or re-activated user accounts

Once the attacker has access to a user account in our environment, their next objective is to escalate privileges and establish a secondary foothold. They do this through two methods, first identifying an application that can be manipulated through configuration, then using those credentials to create a secondary application to ensure they can retain their access. The second application is a means of maintaining access to the organization in case the first application or user gets detected.  

Adding new user accounts – and re-activating disabled accounts – is a common technique used by threat actors to evade detection and ensure persistent access. To find these, we can use the following question:

"What users were added in Microsoft Entra ID?"

A common indicator of compromise is the creation of new users in the environment by attackers.

In this example, Midnight Blizzard threat actors created a new user account and granted the account the Global Administrator role. This role is required to grant consent to a malicious application. User principal name (UPN) leads for newly created users can be used to look for evidence of elevated privilege role assignments and malicious application consent grants or role assignments by attackers.

Seeing the connections between objects and questions help get to answers quickly.

"What new directory role assignments have been made for this user in Microsoft Entra ID?"

New directory role assignments can be another indicator for suspicious attacker activity.

Conclusion

In conclusion, the capabilities within Command Zero empower organizations and analysts to conduct flexible hunts and free-form investigations, significantly enhancing their ability to operationalize threat intelligence. For identifying Midnight Blizzard or any password spraying attack in your environment, there are multiple paths you can take with Command Zero:  

  1. Tracking unusual application consents
  1. Tracking password spraying attempts
  1. Tracking MFA failures
  1. Tracking new or re-activated user accounts

As with all investigation flows, these flows can be saved as facets to drive speed and consistency across individual analysts or analyst teams.  

By providing robust tools and comprehensive insights, our platform allows users to navigate complex threat landscapes without relying solely on atomic indicators. This flexibility not only streamlines the investigative process but also ensures a proactive and adaptive security posture, enabling organizations to stay ahead of evolving cyber threats and maintain a resilient defense strategy.

Eric Hulse
Director of Security Research

Continue reading

No items found.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All