Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What You Need to Know

Cloudflare-Atlassian Cybersecurity Incidents

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents have raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches: Protecting the integrity of SaaS apps and their sensitive data is critical, but not easy. Common threat vectors such as advanced spear phishing, misconfigurations, and vulnerabilities in third-party app integrations demonstrate the complex security challenges IT systems face.

In the case of Midnight Blizzard, password distribution against a test environment was the first attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a previous breach at Okta, a SaaS identity security provider.

What exactly happened?

Microsoft Midnight Blizzard Breach

Microsoft was targeted by the Russian ‘Midnight Blizzard’ hackers (also known as Nobelium, APT29 or Cozy Bear) who are linked to the SVR, the Kremlin’s foreign intelligence service.

In the Microsoft breach, the threat actors do the following:

  1. A password enumeration strategy was used for a legacy account and for historical test accounts that do not have multi-factor authentication (MFA) enabled. According to Microsoftthe threat actors”[used] a low number of attempts to evade detection and avoid account bans based on the number of errors.”
  2. Using the compromised legacy account as an initial entry point, then hijacking an outdated OAuth test app. This legacy OAuth app had high-level permissions to access Microsoft’s corporate environment.
  3. Created malicious OAuth apps by abusing legacy OAuth app permissions. Because the threat actors controlled the legacy OAuth app, they were able to maintain access to the applications even if they lost access to the initially compromised account.
  4. Administrators granted Exchange permissions and administrative credentials to themselves.
  5. Escalated privileges from OAuth to a new user they managed.
  6. Agreed to the malicious OAuth applications using their newly created user account.
  7. Further escalated the legacy application’s access by granting it full access to M365 Exchange Online mailboxes. This access allowed Midnight Blizzard to view M365 email accounts of senior employees and exfiltrate corporate emails and attachments.
Cloudflare-Atlassian cybersecurity incidents
Recreation of illustration by Amitai Cohen

Cloudflare-Atlassian fault

On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems were also affected by a nation-state attack.

  1. This breach, which began on November 15, 2023, was made possible through the use of compromised credentials that had not been changed from a previous Okta breach in October 2023.
  2. Attackers gained access to Cloudflare’s internal wiki and bug database, allowing them to view 120 code repositories in Cloudflare’s Atlassian instance.
  3. 76 source code repositories related to key operational technologies may have been exfiltrated.
  4. Cloudflare detected the threat actor on November 23 because the threat actor associated a Smartsheet service account with an admin group in Atlassian.
SaaS Security Guide

Can your security team monitor third-party apps? 60% of teams can’t do that

Threat actors are increasingly turning to SaaS

These breaches are part of a broader pattern of national actors targeting SaaS service providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard has previously been involved in significant cyber operations, including the 2021 SolarWinds attack.

These incidents underscore the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by advanced cyber adversaries targeting critical infrastructure and operational tech stack. They also highlight significant vulnerabilities related to SaaS identity management and the need for strict risk management practices for third-party apps.

Attackers use common tactics, techniques, and procedures (TTPs) to compromise SaaS providers through the following kill chain:

  1. First access: Password spray, OAuth hijacking
  2. Tenacity: impersonates administrator, creates additional OAuth
  3. Defense evasion: Highly privileged OAuth, no MFA
  4. Lateral movement: wider compromise of connected apps
  5. Data exfiltration: Extract privileged and sensitive data from apps

Breaking the SaaS kill chain

An effective way to break the kill chain early is through continuous monitoring, granular policy enforcement, and proactive lifecycle management for your SaaS environments. a SaaS Security Posture Management (SSPM) platform like AppOmni can help detect and alert for:

  • Initial access: Ready-made rules to detect credential breaches, including password spraying, brute force attacks, and unenforced MFA policies
  • Tenacity: Scan and identify OAuth permissions and detect OAuth hijacking
  • Defense evasion: Access policy checks, detect if a new Identity Provider (IdP) has been created, detect permission changes.
  • Lateral movement: Monitor logins and privileged access, detect toxic combinations, and understand the blast radius of a potentially compromised account
Cloudflare-Atlassian cybersecurity incidents

Note: This expertly contributed article was written by Beverly Nevalga, AppOmni.

#Midnight #Blizzard #CloudflareAtlassian #Cybersecurity #Incidents

Notify of
Inline Feedbacks
View all comments
Previous Post
Glupteba Botnet

Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

Next Post
Ivanti Flaw

Ivanti Vulnerability Exploited to Install ‘DSLog’ Backdoor on Over 670 IT Infrastructures

Related Posts