I recently had the chance to co-host a TEC Talk with my friend and former coworker, Bryan Patton, on the topic of AD-based attacks. This is an evergreen topic since criminals (and nation-states, and nation-state-criminals) all keep attacking identity systems for fun, profit, and politico-military advantage, and there’s no reason to think those attacks are going to decrease in frequency or severity. Bryan and I wanted to review what the Microsoft community has seen in, and hopefully learned from, so far in 2023 when it comes to AD security.
The Big Four
We started by discussing four major attacks we’ve already seen this year against Microsoft and its customers: Mercury, Volt Typhoon, n0Auth, and Storm-0558. At the time, it hadn’t been publicly disclosed that the Chinese attackers behind Storm-0558 had been able to compromise the US State Department, among others, but we did make a point of mentioning that those attacks were ongoing. The point we wanted to convey during this portion of the talk is that as of mid-July 2023, there had already been four widely reported, serious, well-backed, widespread attacks targeting Microsoft and customers. There have been others that are less well-known, and there are probably others that haven’t been publicly disclosed yet.
These four attacks were just the start of our discussion, though, because we also moved on to a wide-ranging discussion about other attacks. Bryan made the excellent point that the Lockbit gang (and some of their competitors in the ransomware-as-a-service market) have at least some ethical boundaries, witnessed by their apology after one of their affiliates attacked the Toronto Hospital for Sick Children. That incident wasn’t much comfort to any of the dozens of large organizations who fell victim to publicized ransomware attacks, including the UK’s Royal Mail, whose data was leaked after they refused to pay Lockbit’s requested ransom. We also discussed the wave of Cl0p attacks that exploited flaws in the MOVEit toolset. (Fun update: just this week, Cl0p has started releasing the data they stole, apparently hoping to put more pressure on the victims whose data hasn’t yet been released. We didn’t anticipate this tactic but I’d bet we see it repeated again in the future!)
One of the most interesting things we discussed was the emergence of two hardware-based attacks: one against Barracuda email appliances (an attack so severe that the manufacturer recommends replacing infected devices instead of patching them!) and the other against MSI, maker of laptops, desktop, and server motherboards. The MSI hack is particularly egregious because it enables attackers to sign BIOS malware that the affected systems will accept as legitimate, enabling a whole set of nasty persistent attacks.
Targets and Perpetrators
To wrap up, we moved to discuss the attackers themselves, asking two questions: who are the targets, and who are the perpetrators? The sad truth is that some of the more complex and damaging attacks were mounted by nation-states, but those attack techniques will (and have) become accessible to large criminal organizations, then to small-time criminals, then to script kiddies. We’ve seen this pattern before with many other types of malware, and it’s disheartening but seems inevitable.
To close out the talk we had a lively Q&A with the attendees (you can see the questions and our answers in the recording). Overall it was a lot of fun, and it was good preparation for the wide range of security topics that the speakers at TEC 2023 will be discussing in a few weeks. Hopefully, I’ll see you there!