Microsoft's first report by the Detection and Response Team (DART), which helps clients with serious cyber problems, details a case of a large client with six different hacker groups simultaneously on its network, including a state-funded hacker group that stole data and emails for 243 days.
The company announced DART in March 2019 as part of its $ 1 billion cost-push business announced by the CEO Satya Nadella the 2017.
Without disclosing customer names, Microsoft intends to publish regular updates on DART activities to show how hackers work.
The first report details one APT intruder who stole admin credentials to infiltrate the target's network and steal sensitive data and emails.
In particular, the client did not use Multi-Factor Authentication (MFA), which could have prevented the breach. Microsoft revealed last week that 99,9% of compromised accounts did not use MFA and only 11% of businesses use MFA.
DART was introduced after the customer failed to fly an attacker APT out of network after 243 days, despite hiring an incident response vendor seven months earlier. The hacker was removed from the system the day the Microsoft team arrived. It also discovered that five other threat groups were in the network.
In this case, the main attacker used one password-spraying attack to grab the Office 365 client's admin credentials and from there he was looking for mailboxes to find out more credentials shared with employees by email. DART found that the attacker was seeking intellectual property licenses in some markets.
The attacker even used the client's e-discovery tools to automate the search of the relevant emails.
According to Microsoft, the company in the first month of the attack tried to handle its own account Office 365, and then brought in an incident response company to lead to what turned out to be a long investigation.
"This investigation lasted more than seven months and revealed a possible compromise of sensitive information stored in Office 365 mailboxes. 243 days after the initial invasion, DART took over with the management company hired by the company," says Microsoft.
“DART quickly identified targeted searches of mailboxes and compromised accounts, as well as command and intrusion control channels. DART also identified five additional ones invaders campaigns who insisted they had nothing to do with the original incident. even earlier to create access channels (eg rear doors) for later use as needed. ”
Microsoft outlines five key steps organizations can use to minimize their exposure to APT attackers, including enabling them MFA, its removal authentication legacy, proper first responders training, proper incident logging with a security, information and event management product and recognition that intruders use legitimate administrative and security tools to identify targets.
The blog offers the same message it gave customers who have been the victims of major ransomware groups last week: customers need to activate the available security tools and focus on recording security incidents.
Microsoft covered the work of ransomware operators REvil, Samas or SamSam, Doppelpaymer, Bitpaymer and Ryuk. It details how attackers deactivate security software and note that some clients even deactivate security software to improve security. performance, allowing cybercriminals to roam the networks for months without authorization.