Microsoft's first report from its Detection and Response Team (DART), which helps customers in deep cyber trouble, details the case of a large customer with six threat actors simultaneously on its network, including one state-sponsored hacker group that had been stealing data and email for 243 days.
The company announced DART in March 2019 as part of the $1bn-a-year push into enterprise cybersecurity announced by CEO Satya Nadella in 2017.
Without revealing any customer names, Microsoft intends to publish regular updates about DART's activities, to illustrate how hackers are operating.
Its first report details an advanced persistent threat (APT) attacker that stole administrator credentials to penetrate the target's network and steal sensitive data and emails.
Notably, the customer was not using multi-factor authentication (MFA), which could have prevented the breach. Microsoft revealed last week that 99.9% of compromised accounts didn't use MFA, and only 11% of enterprise accounts use MFA.
DART was brought in after the customer failed to kick one APT attacker off its network after 243 days, despite having engaged an incident response vendor seven months earlier. The attacker was ejected on the day Microsoft's team arrived. It also discovered five other threat groups were inside the network.
In this case, the main attacker used a password-spraying attack to grab the customer's Office 365 admin credentials and from there searched mailboxes to find more credentials shared among employees in emails. DART found the attacker was looking for intellectual property in certain markets.
The attacker even used the customer's e-discovery and compliance tools to automate the search for relevant emails.
According to Microsoft, the company in the first month of the attack tried to handle the compromised Office 365 account itself, then brought in an incident-response vendor to lead what turned out to be a lengthy investigation.
"This investigation lasted more than seven months and revealed a possible compromise of sensitive information – pertaining to the victim and the victim's customers – stored in Office 365 mailboxes. 243 days after the initial compromise, DART was then brought in to work alongside the incident-response vendor and the company's in-house teams," Microsoft says.
"DART quickly identified targeted mailbox searches and compromised accounts, as well as attacker command-and-control channels. DART also identified five additional, distinct attacker campaigns persisting in the environment that were unrelated to the initial incident. They discovered these attackers had entered the environment even earlier to establish access channels (ie, back doors) for later use as needed."
Microsoft outlines five basic steps that organizations can use to minimize their exposure to APT attackers, including enabling MFA, removing legacy authentication, adequately training first responders, properly logging events with a security, information and event management product, and recognizing that attackers do use legitimate administrative and security tools to probe targets.
The post offers the same message it gave to customers who are victims of major ransomware groups last week: customers should enable available security tools and focus on logging security events.
Microsoft covered the work of the operators of REvil, Samas or SamSam, Doppelpaymer, Bitpaymer, and Ryuk ransomware. It detailed how attackers disable security software and noted that some customers even disable security software to improve performance, allowing cybercriminals to roam networks for months unfettered.