CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as Emergency Directive 24-02 and it addresses the risk of compromised Microsoft accounts for federal agencies and corporations.
The directive mandates agencies to probe potentially impacted emails, reset any compromised credentials and implement safeguards to fortify privileged Microsoft accounts.CISA reports that operatives from Russia are utilizing information pilfered from Microsoft’s corporate email systems, including authentication details exchanged between Microsoft and its clientele via email, to infiltrate certain customer systems.
Microsoft and the U.S. cybersecurity agency have already alerted all federal agencies whose email exchanges with Microsoft were identified as exfiltrated by the Russian hackers. CISA’s latest emergency directive marks the first acknowledgment by the U.S. government that federal agency emails were exfiltrated during the January Microsoft Exchange breaches.
CISA has now directed affected agencies to ascertain the complete content of their correspondence with compromised Microsoft accounts and conduct a cybersecurity impact assessment by April 30, 2024.
Agencies detecting indications of authentication compromises are instructed to:
While the requirements of ED 24-02 pertain exclusively to Federal Civilian Executive Branch (FCEB) agencies, the exfiltration of Microsoft corporate accounts may affect other organizations and corporations. It is also imperative for all organizations, regardless of the impact, to adopt stringent security measures, such as utilizing strong passwords and implementing multi-factor authentication (MFA).
APT29 was responsible for the 2020 SolarWinds supply chain attack, which resulted in breaches affecting several U.S. federal agencies and numerous companies, including Microsoft. Microsoft verified that the breach facilitated the Russian hacking group in pilfering source code for certain Azure, Intune, and Exchange components. In 2021, the APT29 hackers once more penetrated a Microsoft corporate account, granting them access to customer support tools.
Earlier this year, Microsoft disclosed that APT29 hackers had infiltrated its corporate email servers through a password spray attack, compromising a legacy non-production test tenant account. The compromised account possessed authorization to an application with elevated privileges within Microsoft’s corporate environment, enabling the attackers to infiltrate and extract data from corporate mailboxes. These compromised email accounts included those belonging to members of Microsoft’s leadership team and an undisclosed number of employees in the company’s cybersecurity and legal departments.
Detecting compromised Microsoft accounts is crucial for maintaining the security of your organization’s data and systems. Here are some key indicators to watch out for:
By following these proactive measures and staying vigilant, organizations can enhance their ability to detect compromised Microsoft accounts and mitigate the risks associated with unauthorized access to sensitive data and systems.
To learn more about CISA Emergency Directive 24-02, please visit: https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system
The post CISA Warns of Compromised Microsoft Accounts appeared first on Enzoic.
*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/compromised-microsoft-accounts/