Tag Archive for: helped

How ITDR Could Have Helped Microsoft in the Midnight Blizzard Hack


Identity-based attacks are on the rise, but they can be prevented with the right identity threat detection and response (ITDR) measures. 

As winter crept in last year, so did identity threat actors. Microsoft revealed in January that the Russia-backed group Midnight Blizzard (aka Nobelium) had compromised senior-level email accounts and stolen sensitive information in a password-spraying attack dating back to November 2023. 

Thought to be affiliated with the Russian Foreign Intelligence Service, Midnight Blizzard performs espionage attacks on targets across the US and Europe. The group is perhaps best known for the SolarWinds hack in 2020 – a massive supply chain breach that affected thousands of organizations, including the US government. 

Midnight Blizzard’s latest attack on Microsoft was sophisticated but easily preventable. A protective layer of identity threat detection and response (ITDR) measures would have stopped the group from gaining a foothold in Microsoft’s corporate environment. In this blog, we’ll look at how. 

How It Happened

In late November 2023, Midnight Blizzard used a password-spraying attack to compromise an old Microsoft test account that didn’t have multifactor authentication (MFA) enabled. To avoid being detected or locked out of the system, the group used residential proxy networks to masquerade as legitimate users. It focused its attack on a small number of accounts. 

With a foothold in the system, Midnight Blizzard took over a legacy test OAuth application connected to Microsoft’s corporate environment and created more OAuth applications. It leveraged the privileges that came with these to grant itself the Microsoft 365 Exchange Online full_access_as_app role, which provided access to the entire 365 stack. In what Microsoft says was a bid to find information about itself, Midnight Blizzard then stole data, such as documents and emails from senior-level accounts. 

How It Was Discovered

“The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024,” Microsoft disclosed in an 8-K filing, “and immediately activated our response process to investigate, disrupt malicious activity, mitigate…

Source…

Lessons from a ransomware attack: How one healthcare CIO helped her company recover


In the early-morning hours of Feb. 25, 2021, Terri Ripley got the call every chief information officer dreads: Her company, OrthoVirginia Inc., had been hit by a massive attack of the Ryuk ransomware that had shut down its entire computing fabric.

Although it would be 18 months before systems were fully restored, OrthoVirginia never shut down operations or abandoned patients. What it learned during the crisis is a lesson for any organization that might become an attack target. Today, that’s everyone.

Speaking at the Healthcare Information and Management Systems Society Inc.’s Healthcare Cybersecurity Forum in Boston this week, Ripley gave a blow-by-blow description of the events immediately following the attack, the critical choices that were made and how the company is insulating itself from future incidents.

OrthoVirginia is Virginia’s largest provider of orthopedic medicine and therapy, encompassing 105 orthopedic surgeons spread across the state. Its 25-person information technology organization had put cyber protections in place before the attack hit, but the pandemic was a curveball they didn’t anticipate.

“When COVID hit and we sent everybody home, some of those protections were not in place,” she said. “We put a lot of good measures in place, but we still got hit.”

System-wide shutdown

The attack took down servers, workstations, network storage and backups, but fortunately not electronic health records, which were hosted offsite. It encrypted the picture archiving and communication system that contains the X-rays vital to orthopedic surgery. The application and database needed to view the images were also hit and the internet protocol phones went down.

To make matters worse, OrthoVirginia’s chief cybersecurity expert was on vacation at the time. Knowing that ransomware attacks can be unpredictable, “we made the decision to shut everything down,” Ripley said. “That stopped the script from running so we were able to save the data files.”

Forensics would later determine that the attack was triggered by a remote worker clicking on a malicious link. The attackers were able to compromise the system administration password, tunnel through the…

Source…

Prison officer who helped smuggle cocaine into convicted murderer’s cell facing jail time


Prison officer, 31, who helped smuggle cocaine and a mobile phone into convicted murderer’s cell at maximum-security jail after ‘forming a close relationship’ is now facing time behind bars herself

  • Heather McKenzie was working at HMP Shotts when she teamed up with convicted murderer Zak Malavin to supply drugs to inmates
  • McKenzie will be sentenced at the High Court in Glasgow on February 23

A prison officer is facing time behind bars after helping to smuggle cocaine into one of Scotland’s most notorious maximum-security jails.

Heather McKenzie was working at HMP Shotts – home to some of the country’s most hardened criminals – when she teamed up with convicted murderer Zak Malavin to supply drugs to inmates.

Prison officials and police started an investigation after noticing a significant rise in the quantities of drugs being found in the jail – and receiving a tip-off about possible staff corruption.

Intelligence suggested McKenzie, 31, was illegally bringing drugs and mobile phones into the prison.

Heather McKenzie (pictured) was working at HMP Shotts – home to some of the country’s most hardened criminals – when she teamed up with a convicted murderer

Heather McKenzie (pictured) was working at HMP Shotts – home to some of the country’s most hardened criminals – when she teamed up with a convicted murderer

Zak Malavin who is serving life for murdering a man in a park by attacking him with a sword, was found to have an iPhone, 1.45g of cocaine and a sleeping pill in his cell

Zak Malavin who is serving life for murdering a man in a park by attacking him with a sword, was found to have an iPhone, 1.45g of cocaine and a sleeping pill in his cell

Malavin, serving life for murdering a man in a park by attacking him with a sword, was found to have an iPhone, 1.45g of cocaine and a sleeping pill in his cell when officers searched it in May 2020.

A search the following month uncovered two knotted bags containing a further 5.7g of cocaine, while data on the iPhone revealed texts and calls to McKenzie.

Police later raided McKenzie’s home in Forth, Lanarkshire, and arrested her after finding £2,500 in cash, mobile phones, syringes and trenbolone – a powerful steroid – as well as traces of cocaine and 28g of another drug, benzocaine.

An iPhone found by police had a missed WhatsApp call from a contact named ‘Zak’….

Source…

Security Breach: The Hack You Helped Create


This episode focuses on a vulnerability within the industrial sector that is essentially a product of progress. The enhanced data sharing capabilities and operational efficiencies that have been realized in establishing an estimated 20 billion device connections in manufacturing enterprises around the globe have come at a price for some.

In the sector’s zeal to push forward with digital transformation plans and realize the benefits of automation, software and data-driven production schemes, all of these connection points offer a soft spot for hackers to probe and pinpoint in launching various types of attacks.

Joining us to discuss this evolving situation and offer some in-depth analysis from his company’s recent report – The API Security Disconnect – is Filip Verloy, Technical Evangelist at Noname Security.

For more information on the work Noname Security does, you can go to nonamesecurity.com.

To catch up on past episodes, you can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast.

Source…