Hacking campaign affects hundreds of Microsoft Azure accounts

Proofpoint researchers recently uncovered a cloud account misappropriation campaign affecting Microsoft Azure environments and users, including senior executives. Detected at the end of November 2023, the threat is still active in February 2024.

According to Proofpoint, the campaign involves phishing techniques and control of cloud accounts, using individualised lures in shared documents. For example, some documents include “View document” links which, when clicked, redirect users to a phishing page.

Apparently, the profile of the victims is very varied, with different titles in their companies, covering hundreds of users with roles as sales directors, account and financial managers and even vice-presidents of operations, presidents and CEOs.

Proofpoint warns that successful initial hits from this campaign could lead to a cascade of unauthorized activity. For example, analysts have identified attackers working with different authentication methods, such as registering alternative phone numbers for authentication via SMS or phone call. However, in most MFA handling cases, the preferred method has been to add an authenticator app with notification and code.

In this campaign, attackers can also gain access and download sensitive files, such as a list of financial assets, internal security protocols, and user credentials. They can also invade email boxes, carry out lateral movements on affected networks and exploit specific user accounts to make threats using personalized phishing. They are able to create obfuscation rules to cover tracks and erase evidence of malicious activity from victims’ mailboxes. And they can also conduct financial fraud by sending internal email messages to the Human Resources and Finance departments of affected organizations.

Proofpoint’s analysis of the attack revealed multiple proxies, data hosting services, and hijacked domains that constitute the campaign’s operational infrastructure. Attackers have been observed employing proxy services to align the apparent geographic origin of unauthorized activities with that of potential victims, avoiding geofence policies. Additionally, the use of proxy services is switched frequently to mask your true location and impose additional difficulty in blocking malicious activity.

In addition to using proxy services, attackers use certain local fixed-line ISPs that could expose their geographic locations. Some of these non-proxy sources are in Russia and Nigeria.

Ear tug

In mid-2023, US Senator Ron Wyden sent a letter to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice and the Federal Trade Commission (FTC) calling for Microsoft to be held accountable for negligent cybersecurity practices that have enabled acts of espionage by China against the US government.

On the private side, Tenable, a company that offers cyber exposure management solutions, was also already investigating potential unauthorised access to the Microsoft Azure platform and related services. In a sign that this was a critical flaw, the Tenable team quickly discovered a bank’s authentication secrets and immediately notified Microsoft.

Contrary to expectations, it took Microsoft more than 90 days to implement a partial fix for a problem that could lead to a breach of several customers’ networks and services. According to Tenable, Microsoft said at the time that it would resolve the problem by the end of September 2023. However, with the current campaign incident identified by Proofpoint, we can imagine that the vulnerability has not yet been completely eliminated.

New executive

In the midst of this incident, Ahmed Shihab, vice president of infrastructure hardware at Amazon Web Services (AWS), migrated to rival Microsoft to work on Azure storage services as vice president of the area. In response to CRN‘s contact, Microsoft confirmed the hiring of Shihab, but gave no details about his new role and responsibilities. The hiring also comes at a time when Amazon is going through a wave of layoffs in executive positions in the AWS division, part of a measure started in April 2023 to reduce costs. It was expected that a further 9,000 employees from various business units, including AWS, would be affected.