Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents

Learn how to break the SaaS kill chain with SSPM

By Beverly Nevalga, Associate Director of Content Marketing, AppOmni

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical, but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems.

In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a prior breach at Okta, a SaaS identity security provider. 

What Exactly Happened?

Microsoft Midnight Blizzard Breach

Microsoft was targeted by the Russian “Midnight Blizzard” hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, Kremlin’s foreign intelligence service unit.

In the Microsoft breach, the threat actors:

  1. Used a password spray strategy on a legacy account and historic test accounts that did not have multi-factor authentication (MFA) enabled. According to Microsoft, the threat actors “[used] a low number of attempts to evade detection and avoid account blocks based on the volume of failures.”
  2. Leveraged the compromised legacy account as an initial entry point to then hijack a legacy test OAuth app. This legacy OAuth app had high-level permissions to access Microsoft’s corporate environment.
  3. Created malicious OAuth apps by exploiting the legacy OAuth app’s permissions. Because the threat actors controlled the legacy OAuth app, they could maintain access to the applications even if they lost access to the initially compromised account.
  4. Granted admin Exchange permissions and admin credentials to themselves.
  5. Escalated privileges from OAuth to a new user, which they controlled.
  6. Consented to the malicious OAuth applications using their newly created user account.
  7. Escalated the legacy application’s access further by granting it full access to M365 Exchange Online mailboxes. With this access, Midnight Blizzard could view M365 email accounts belonging to senior staff members and exfiltrate corporate emails and attachments.
Recreation of illustration by Amitai Cohen

Cloudflare-Atlassian Breach

On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems were also compromised by a nation-state attack.

  1. This breach, which started on November 15th, 2023, was made possible through the use of compromised credentials that had not been changed following a previous breach at Okta in October 2023. 
  2. Attackers accessed Cloudflare’s internal wiki and bug database, enabling them to view 120 code repositories in Cloudflare’s Atlassian instance.
  3. 76 source code repositories related to key operational technologies were potentially exfiltrated.
  4. Cloudflare detected the threat actor on November 23 because the threat actor connected a Smartsheet service account to an admin group in Atlassian.

Threat Actors Increasingly Target SaaS

These breaches are part of a broader pattern of nation-state actors targeting SaaS service providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard previously engaged in significant cyber operations including the 2021 SolarWinds attack. 

These incidents underscore the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and operational tech stack. They also highlight significant vulnerabilities related to SaaS identity management and the necessity for stringent 3rd-party app risk management practices.

Attackers use common tactics, techniques and procedures (TTPs) to breach SaaS providers through the following kill chain:

  1. Initial access: Password spray, hijacking OAuth
  2. Persistence: Impersonates admin, creates extra OAuth
  3. Defense Evasion: Highly privileged OAuth, no MFA
  4. Lateral Movement: Broader compromise of connected apps
  5. Data Exfiltration: Grab privileged and sensitive data out of apps

Breaking the SaaS Kill Chain

One effective way to break the kill chain early is with continuous monitoring, granular policy enforcement, and proactive lifecycle management over your SaaS environments. A SaaS Security Posture Management (SSPM) platform like AppOmni can help with detecting and alerting on:

  • Initial Access: Out-of-the-box rules to detect credential compromise including password spraying, brute force attacks and unenforced MFA policies
  • Persistence: Scan and identify OAuth permissions 
  • Defense Evasion: Access policy checks, detect if a new identity provider (IdP) is created, detect permission changes
  • Lateral Movement: Monitor logins and privileged access, detect toxic combinations, and understand blast radius of a potentially compromised account

How AppOmni Secures Against Midnight Blizzard

Initial Access & Persistence

Ensuring MFA is enabled

AppOmni checks for settings such as MFA enabled for all M365 environments, including Test/Dev/Etc. Furthermore, AppOmni provides continuous monitoring of M365 Conditional Access Policies to monitor for MFA enforcement via M365 Conditional Access Policies, and to detect M365 Conditional Access Policies changes or drifts.

Conditional Access

AppOmni provides continuous monitoring of M365 Conditional Access Policies, and will alert on M365 Conditional Access policy configuration drifts, M365 Conditional Access Policy change activities as well as M365 Conditional Access Login failures.

AppOmni can also detect multiple, failed login attempts on conditional policies.

Threat Detecting: Password Spraying

AppOmni can detect Password Spraying and Bruteforce attacks with AppOmni’s Threat Detection engine.

Privilege Escalation

App Impersonation

AppOmni can add a Posture Rule that would trigger an alert when a new App is assigned the app_impersonation permission. 

With this AppOmni policy, you would immediately be notified of the compromised OAuth application and that it had been granted elevated privileges. With this information you can disable the compromised account.

Defense Evasion & Lateral Movement

Threat Detection

AppOmni also looks for events where applications are granted administrative privileges, and several other OAuth related threat detection rules.

Identity Fabric

The AppOmni Identity Fabric pulls in the users, roles, privilege levels by applications to give you visibility and alerting on inactive accounts across your SaaS landscape. 

Related Resources