this post was submitted on 19 Feb 2024
258 points (97.4% liked)

Cybersecurity

5689 readers
94 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

For the first time in the history of Microsoft, a cyberattack has left hundreds of executive accounts compromised and caused a major user data leak as Microsoft Azure was attacked.

According to Proofpoint, the hackers use the malicious techniques that were discovered in November 2023. It includes credential theft through phishing methods and cloud account takeover (CTO) which helped the hackers gain access to both Microsoft365 applications as well as OfficeHome.

all 30 comments
sorted by: hot top controversial new old
[–] [email protected] 59 points 9 months ago (2 children)

The reason why so many people fell for this attack was because it was carried out through malicious links embedded in documents. These links led to phishing websites but the anchor text of these links was “View Document”. Naturally, no one was suspicious of a text like that.

On one hand, I know we shouldn't blame people for falling for this stuff. People are often not educated well enough on the dangers and it's not reasonable to expect it. We should build things to be systematically secure even in the face of people falling for phishing.

On the other hand it's difficult not to be frustrated with this kind of thing... People really should know better than clicking random links and typing their password.

[–] [email protected] 78 points 9 months ago (5 children)

Azure products ask you for your identity and signin a lot. Honestly, I'm asked to log in again at least once every 24 hours. That's assuming I don't traverse some sort of service wall where I'm now in a different system after clicking a link.

I do cloud engineering for a living, and I would probably fall for at least some phishing things around Azure, specifically because azure identity management is so obtuse and constantly asking for things.

It's absolutely on the system that Microsoft designed , and the practices they encourage, and the mitagations that apparently don't exist.

[–] [email protected] 52 points 9 months ago (1 children)

MS products in general are a Rube Goldberg machine of domain redirects and authentication requests so you could easily(...?) slip another sneaky phishing site in the middle of the 14th ball drop and 18th cup-on-a-string-swinging-over-a-gap and I'd be one to fall for it. I use 1Pass and it's pretty much constantly popping up in MS website dialogue boxes demanding another password sacrifice before it will let me access some MS service that I was just on five minutes ago.

[–] [email protected] 9 points 9 months ago

My school uses MS for a bunch of the logins. 2FA is setup through your phone, which isn't annoying or anything. So anytime I login, I need my phone handy, and then I have to type in the stupid code into my phone and then a password to approve it and then maybe 25% of the time it decides me clicking "yes this is me" actually means "no, deny!" and boots me out and then I have to authenticate a different way. And if I sign into a different school website that uses the same damn MS login it kicks me from any other school websites I'm currently logged into so I have to log back into them even if they're still open in another tab and I'm actively working in then. So yeah, I'd like to think I'm smart, but I'd definitely just rush through another MS authentication request because I'm so damn sick of them.

[–] [email protected] 38 points 9 months ago (1 children)

bing bing bing bing!

"Sign into your Microsoft account" here...

"Link your Microsoft account to Edge/[Insert MS product here]"

"Let's get you signed in" there.

"Try our Windows Hello! A new method of accessing your Microsoft account!" over there.

"Sorry you can't use your organization account here, sign into your personal account"

This is the monster Microsoft unleashed upon itself.

[–] [email protected] 16 points 9 months ago

Microsoft, and all the cybersecurity folks who blindly accept any recommendation from third party firms.

When we need to remote in to our work PCs we have to use our Microsoft account with MFA just to access the remote connections, then use the same credentials to access the pool, then if we want to RDP into our PC we use the same credentials.

[–] [email protected] 13 points 9 months ago (1 children)

Thank you. Security verification has become so cumbersome that people just try to push through without thinking.

[–] [email protected] 6 points 9 months ago

Yeah, needing to sign back into multiple systems after doing something different for 15 minutes is just exhausting.

[–] [email protected] 8 points 9 months ago

The amount of times I have had to do an MFA challenge for non-elevated access stuff while on company owned hardware connected to the company owned network is absurd.

[–] [email protected] 4 points 9 months ago

Azure products ask you for your identity and signin a lot. Honestly, I'm asked to log in again at least once every 24 hours

I'm security minded and I absolutely hate using Microsoft because of this very reason.

I have a Microsoft account because stupid ass Windows needs it, I wanted PC GamePass and I was sick of constantly doing workarounds for the past 15 years. And what do I get for it? I need to log in for so many things. Accidentally open up Microsoft word? Login. Open game pass? Login. Play a game? Login. Game suddenly crashes? Oh because it failed to authenticate and I had to login into game pass again.

I would absolutely fall for this if I had to use microsoft products at work because of logging fatigue.

[–] [email protected] 37 points 9 months ago (1 children)

I work on service desk.

Nobody knows their password. It’s always a fucking song and dance when I ask them to type it in.

Except of course when they click a phishing link. Then they know every single piece of information required.

Blows my mind

[–] [email protected] 14 points 9 months ago (1 children)

work on service desk.

Nobody knows their password.

If they did they wouldn't be contacting the service desk.

[–] [email protected] 10 points 9 months ago (1 children)

I often get confused at how someone could log into the computer and yet after that is done have no idea what their password is. I sometimes have them lock their computer so they can remember it again. Facepalm.

[–] [email protected] 10 points 9 months ago (1 children)

Been on both ends of this (IT support and "forget password after entering it correctly"). The secret is muscle memory/subconcious habit.

Used to have the same issue with the dial combo lock on my locker at school. If I thought about it I could never open it. If I distracted myself just enough then I'd get it open without really knowing what I did.

That said, at my place we had someone forgetting their password literally minutes after a call to have it reset, multiple times a day. Don't know what the issue was, but we had to escalate it to HR and the person was out for a good while.

[–] [email protected] 8 points 9 months ago

Totally agree about the muscle memory. I recall having access to a CO DNR database at a previous job. It was one of three alphanumeric passwords assigned to me with no option to change them. I realized one day after having my hand in the wrong place on the keyboard that I didn’t really remember it, but my subconscious did

[–] [email protected] 34 points 9 months ago (1 children)

A better summary:

The text discusses a series of cybersecurity breaches affecting Microsoft, involving sensitive data theft from US government officials and organizations, attributed to Chinese hackers. Microsoft's delayed response to discovered security flaws, including a 90-day wait for a partial fix, is criticized. Senator Ron Wyden has called for Microsoft's accountability. The breaches underscore the growing issue of security vulnerabilities in tech companies, leading to expectations that the US government will require companies to promptly disclose security incidents within a strict timeframe.

[–] [email protected] 8 points 9 months ago
[–] [email protected] 13 points 9 months ago (3 children)

every day i lose my mind a little more at how much trust hundreds of thousands of companies across the world place in third parties like microsoft to handle literally all of their sensitive data, as if that could be a good idea in any universe

[–] [email protected] 13 points 9 months ago (1 children)

While I don't disagree it's dangerous, most companies handling their own data would likely do a lot worse, just with smaller chance of being targeted.

[–] [email protected] 2 points 3 months ago

That's a fair point to be honest but it would mean more job openings for me, so... /j

[–] [email protected] 3 points 9 months ago

Especially when history has shown that Microsoft had and has issues with security basically everywhere.

[–] [email protected] 2 points 9 months ago

Not just companies. Governments. I know of entire governmental departments that run exclusively off of a M$ environment. People who deal with capital C Confidential information are backing it up into OneDrive. It's lunacy.

[–] [email protected] 7 points 9 months ago
[–] [email protected] 4 points 9 months ago (1 children)

This piece reads like it was generated by an LLM from prompts supplied by a twelve year old who knows nothing about cybersecurity. I was really looking forward to reading the article from the headline

[–] [email protected] 1 points 9 months ago

Do you mean the text accompanying the post? That is the first two paragraphs from the article.

The "better summary" I posted later was actually generated by chatgpt.

[–] [email protected] 4 points 9 months ago

What's sad is that my former university uses Microsoft products for literally everything and they think Duo is going to keep my uni email secure. Until they encrypt that bitch and enhance their security that email is as good as dead

[–] [email protected] 2 points 9 months ago (1 children)

Flashback from 2016 Russian hack on DNC emails

[–] [email protected] 1 points 9 months ago

Wouldn't blow my mind if this was a state actor, it's a huge breach during an election year

[–] [email protected] 1 points 9 months ago

Satya is too focused on creeping on you tbh