The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive (ED 24-02) on Thursday, instructing federal agencies to actively seek out indicators of compromise and implement precautionary measures in the aftermath of Microsoft’s recent system breach, resulting in the pilferage of email correspondence with the corporation.
The assault, disclosed earlier this year, has been attributed to a Russian state-backed faction identified as Midnight Blizzard (also known as APT29 or Cozy Bear). Last month, Microsoft disclosed that the adversary managed to penetrate some of its source code repositories but clarified that there is no proof of a breach in customer-facing systems.
Originally dispatched privately to federal agencies on April 2, the emergency directive was first brought to light by CyberScoop two days later.
“The threat actor is leveraging data initially extracted from corporate email systems, including authentication credentials exchanged between Microsoft customers and Microsoft via email, to gain, or attempt to gain, additional access to Microsoft customer systems,” stated CISA.
The agency highlighted the severity of the risk posed by the theft of email exchanges between governmental entities and Microsoft, urging concerned parties to scrutinize the content of pilfered emails, reset compromised credentials, and undertake further measures to secure authentication tools for privileged Microsoft Azure accounts.
The precise number of federal agencies whose email communications have been exfiltrated in the aftermath of the incident remains unclear, although CISA affirmed that all relevant agencies have been duly notified.
In addition, affected entities are urged to conduct a thorough cybersecurity impact assessment by April 30, 2024, and furnish a progress report by May 1, 2024, at 11:59 p.m. Other organizations impacted by the breach are advised to liaise with their respective Microsoft account teams for any further inquiries or follow-up.
“Regardless of direct repercussions, all organizations are strongly encouraged to implement rigorous security protocols, including robust passwords, multi-factor authentication (MFA), and prohibition of disseminating unprotected sensitive information through insecure channels,” emphasized CISA.
This development coincides with CISA’s rollout of a new iteration of its malware analysis framework, dubbed Malware Next-Gen, enabling organizations to submit malware specimens (anonymously or otherwise) and other suspicious artifacts for analysis.
