Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know

February 13, 2024The Hacker NewsSaaS Security / Data Breach

Cloudflare-Atlassian Cybersecurity Incidents

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents have raised alarms about vulnerabilities in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches – protecting the integrity of SaaS apps and their sensitive data is critical but not easy. Common threat vectors such as sophisticated spear-phishing, misconfiguration and vulnerabilities in third-party app integrations reflect the complex security challenges facing IT systems.

In the case of Midnight Blizzard, password spraying against a test environment was the first attack vector. For Cloudflare-Atlassian, threat actors began to attack through compromise OAuth tokens from an earlier breach of Okta, a SaaS identity security provider.

What Exactly Happened?

Microsoft Midnight Blizzard Breach

Microsoft was targeted by Russia’s “Midnight Blizzard” hackers (also known as Nobelium, APT29, or Cozy Bear) linked to the SVR, the Kremlin’s foreign intelligence service unit.

In Microsoft’s breach, the threat actors:

  1. Uses a password spraying strategy on a legacy account and historical test accounts without multi-factor authentication (MFA) enabled. According to Microsoftthe threat actors “(use) a small number of attempts to avoid detection and avoid account blocks based on the number of failures.”
  2. Exploited a compromised legacy account as the initial entry point to hijack a legacy test OAuth app. This legacy OAuth app has high-level access permissions in Microsoft’s corporate environment.
  3. Created a malicious OAuth app by exploiting legacy OAuth app permissions. Because threat actors control the legacy OAuth app, they can maintain access to applications even if they lose access to the first compromised account.
  4. The admin is given Exchange permissions and admin credentials themselves.
  5. Extended privileges from OAuth to a new user, which they control.
  6. Accepted malicious OAuth applications using their newly created user account.
  7. Improves legacy application access by giving it full access to M365 Exchange Online mailboxes. With this access, Midnight Blizzard can view M365 email accounts belonging to senior staff members and exfiltrate corporate emails and attachments.
Cloudflare-Atlassian Cybersecurity Incidents
Enjoy the illustration by Amitai Cohen

Cloudflare-Atlassian Violation

On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems was also compromised by an attack on the nation-state.

  1. This breach, which began on November 15, 2023, was made possible by the use of compromised credentials that were not changed after a previous Okta breach in October 2023.
  2. The attackers accessed Cloudflare’s internal wiki and bug database, allowing them to view 120 code repositories on Cloudflare’s Atlassian instance.
  3. 76 source code repositories related to key operational technologies were potentially exfiltrated.
  4. Cloudflare detected the threat actor on November 23 because the threat actor connected a Smartsheet service account to an Atlassian admin group.
SaaS Security Guide

Can Your Security Team Monitor 3rd Party Apps? 60% of Teams Can’t

Think your SaaS security is the best? Appomni surveyed over 600 global security practitioners, and 79% of professionals felt the same way – but they were dealing with cybersecurity incidents! Check out the insights in the AppOmni 2023 Report.

Learn How You Can

Images Are Increasingly Targeting SaaS

These violations are part of a broader pattern of nation-state actors targeting SaaS service providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard has previously engaged in significant cyber operations, including the 2021 attack on SolarWinds.

These incidents highlight the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and operational tech stacks. They also highlight significant vulnerabilities related to SaaS identity management and the need for rigorous 3rd-party app risk management practices.

Attackers use common tactics, techniques and methods (TTPs) to breach SaaS providers through the following kill chain:

  1. Initial access: Password spraying, OAuth hijacking
  2. ENDURANCE: Impersonates admin, performs additional OAuth
  3. Defense Avoidance: Better OAuth, no MFA
  4. Lateral Movement: Wider compromise of connected apps
  5. Data Exfiltration: Remove privileged and sensitive data from apps

Breaking the SaaS Kill Chain

An effective way to break the kill chain early is continuous monitoring, granular policy enforcement, and proactive lifecycle management of your SaaS environments. A SaaS Security Posture Management (SSPM) platform as AppOmni helps identify and alert on:

  • Initial Access: Out-of-the-box rules to detect credential compromise, including password spraying, brute force attacks, and unenforced MFA policies
  • ENDURANCE: Scan and detect OAuth authorizations and detect OAuth hijacking
  • Defense Avoidance: Access policy checks, detect when a new identity provider (IdP) is created, detect authorization changes.
  • Lateral Movement: Monitor logins and privileged access, identify toxic combinations, and understand the blast radius of a potentially compromised account
Cloudflare-Atlassian Cybersecurity Incidents

Note: This expert contributed article was written by Beverly Nevalga, AppOmni.

Did you find this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment