Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action

Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!

Dive into six things that are top of mind for the week ending April 12.

1 - CISA to federal agencies: Act now to mitigate threat from Midnight Blizzard’s Microsoft email hack

Midnight Blizzard, a nation-state hacking group affiliated with the Russian government, stole email messages exchanged between several unnamed U.S. federal agencies and Microsoft.

So said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Emergency Directive 24-02, sent to federal civilian agencies last week and made public this week.

The directive instructs agencies to take immediate and specific actions, including “to analyze potentially affected emails, reset any compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts,” CISA said in a statement.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” reads the directive. All impacted federal agencies have been notified.

Tenable CEO and Chairman Amit Yoran said in a statement that it’s not surprising to learn that Midnight Blizzard’s intrusion campaign escalated after its initial discovery. “Given Microsoft’s consistent track record of partial disclosure, misleading statements and downplaying security incidents, it was only a matter of when the other shoe would drop,” Yoran said.

“Microsoft’s lackadaisical security practices and negligent approach to disclosure have national security implications, and should alarm their commercial clients, which don’t necessarily have the voice or get the attention that the U.S. government might,” he added. “CISA is treating this threat with the intense scrutiny it deserves. Bad cyber hygiene leads to worse outcomes.”

Although the directive applies only to federal civilian executive branch agencies, CISA encourages any other organization impacted by Midnight Blizzard’s hack of Microsoft emails to seek guidance from their Microsoft account team.

The attack against Microsoft began in November 2023, when Midnight Blizzard – also known as Nobelium, Cozy Bear and APT29 – compromised a legacy, non-production test account that lacked multi-factor authentication protection.

Microsoft disclosed the breach in January, saying then that the hackers had stolen information from some of its employees’ corporate email accounts, including senior leaders and cybersecurity and legal staffers.

In a March update, Microsoft revealed that Midnight Blizzard had accessed Microsoft source code repositories and breached internal systems – and that it had been unable to contain the attack so far.

Microsoft further said at the time that Midnight Blizzard was trying to exploit stolen “secrets” shared via email between Microsoft and some customers. The Associated Press reported then that the stolen information included “cryptographic secrets” such as passwords, certificates and authentication keys. 

To get more details, check out:

• CISA’s announcement of its directive “CISA Directs Federal Agencies to Immediately Mitigate Significant Risk From Russian State-Sponsored Cyber Threat”
• The directive “ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System”

For more information about Midnight Blizzard’s attack against Microsoft:

• “Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft” (Tenable)
• “US says Russian hackers stole federal government emails during Microsoft cyberattack” (TechCrunch)
• “CISA Publishes ‘Emergency’ Order On Microsoft Breach By Russian Group, Confirms Stolen Emails” (CRN)
• “Russian hackers accessed U.S. government emails in Microsoft breach, CISA says” (NextGov)
• “Midnight Blizzard swiped Microsoft’s source code, broke into its internal systems” (Tenable)

2 - Cybersecurity pros warm up to AI’s potential

A majority of cybersecurity professionals feel cautiously hopeful about artificial intelligence’s potential for strengthening their organizations’ cyber defenses, while also recognizing AI’s risks and adoption obstacles.

That’s according to a new global survey of almost 2,500 IT and security professionals conducted by the Cloud Security Alliance (CSA).

“While there’s optimism about AI’s role in enhancing security, there’s also a clear recognition of its potential misuse and the challenges it brings,” reads the “State of AI and Security Survey Report,” which was commissioned by Google and released this week.

Specifically, 63% of respondents said AI can potentially boost their organizations’ cybersecurity processes. Only 12% felt the opposite way. The rest had no opinion.

Already, 22% of polled organizations use generative AI for security. More than half (55%) plan to use it within the next year, with the top use cases being rule creation, attack simulation and compliance monitoring. C-level and board support is driving generative AI adoption.

Meanwhile, 67% have tested AI for security purposes, and 48% feel either “very” or “reasonably” confident in their organizations’ ability to use AI for security successfully.

What are your desired outcomes when it comes to implementing AI in your security team?

^{(Source: Cloud Security Alliance’s “State of AI and Security Survey Report”, April 2024)}

However, respondents recognize that AI’s power can cut both ways. While 34% said AI will help security teams more than attackers, 31% opined that it will benefit both groups equally. One fourth of respondents view AI as more advantageous for attackers.

When asked about their concerns, respondents cited the quality of the data used to train AI models (38%); the “black box” nature of AI systems (36%); and a lack of staffers skilled on AI system management (33%). Other concerns: hallucinations, privacy violations, data loss and misuse.

Regarding worries that AI will lead to job losses, most cybersecurity pros (88%) are confident that AI tools won't replace them. They see AI as complementing their skills (30%), supporting their roles (28%) and freeing them up for other tasks (24%). 

To get more details, check out the report’s announcement “More Than Half of Organizations Plan to Adopt Artificial Intelligence (AI) Solutions in Coming Year” and the full 33-page report “State of AI and Security Survey Report.”

For more information about how AI can help cybersecurity teams:

• “AI Is About To Take Cybersecurity By Storm” (Tenable)
• “How generative AI will enhance cybersecurity in a zero-trust world” (VentureBeat)
• “Envisioning Cyber Futures with AI” (Aspen Institute)
• “The Real-World Impact of AI on Cybersecurity Professionals” (ISC2)
• “6 ways generative AI chatbots and LLMs can enhance cybersecurity” (CSO)

3 - SANS: 4 Key Trends for CISOs in 2024

CISOs must track myriad new cyberthreats, regulations, technologies and business risks. It’s a challenge to focus on what’s most important. A new SANS Institute white paper aims to help.

Titled "SANS CISO Primer: 4 Cyber Trends That Will Move the Needle in 2024," the 10-page document unpacks these four trends and offers best practices for each:

• The risk and promise of generative AI
• The renewed importance of zero trust
• The importance of securing cloud environments
• The need to manage ever-growing cybersecurity complexity

“There are many topics I could have picked to discuss, but these four cybersecurity trends rise to the top as a result of countless conversations with esteemed CISOs,” wrote the study’s author, James Lyne, in the blog “4 Trends That Will Define the CISO's Role in 2024.”

“I trust that you will find my selections for this year thought-provoking, and that you will be able to go back to your team after reading this paper and add a highlight or priority to produce better risk management and security outcomes,” added Lyne, SANS Institute’s Chief Technology and Innovation Officer.

Here's a brief sampling of SANS Institute’s recommended best practices for each trend.

• Generative AI
  • Establish clear policies and procedures by, for example, defining acceptable use cases, data-handling protocols and risk mitigation strategies.
  • Conduct thorough risk assessments by, for example, evaluating generative AI system risks, and identifying potential threats and vulnerabilities.
  • Implement strong data governance by, for example, validating what data and systems can be used with your AI tools.
• Zero trust
  • Secure your identities by, for example, boosting identity and access management with multi-factor authentication (MFA) and least-privilege access controls.
  • Segment your network into smaller zones to limit the possibility of lateral movement.
  • Continuously monitor user activity, network traffic and endpoint behavior to detect threats
• Cloud security
  • Boost data story via, for example, encrypting data at rest and in transit, adopting rigorous data governance policies and conducting data loss-prevention audits.
  • Automate and enforce compliance of your cloud environments’ configurations with industry standards, and audit for misconfigurations.
  • Require MFA for all cloud accounts and use a centralized identity management system to maintain access control.
• Cybersecurity complexity
  • Simplify your tech stack by eliminating redundant tools and consolidating vendors.
  • Integrate your security tools and platforms so that they share data, giving you a consolidated view of your environment.
  • Eliminate organizational silos and foster collaboration between the cybersecurity team, the IT team and other teams, which enhances risk management.

For more information about important trends for CISOs:

• “What’s important to CISOs in 2024” (PwC)
• “Cybersecurity trends and the evolution of the CISO in 2024” (Security Magazine)
• “Top 3 Priorities for CISOs in 2024” (Dark Reading)
• “A tougher balancing act in 2024, the year of the CISO” (CSO)
• “CISO Planning for 2024 May Struggle When It Comes to AI” (Dark Reading)

4 - Demand for AI, 5G and WiFi skills on the upswing

Oh, my – tech recruiters are all over AI.

Although tech job openings fell slightly in 2024’s first quarter, some tech roles bucked the trend: Jobs that require AI, 5G and WiFi expertise. That’s according to IoT Analytics’ “State of Tech Employment Spring 2024” report, released this week.

Compared with 2023’s fourth quarter, tech job postings dropped 2% in 2024’s first quarter, the seventh consecutive quarter of declines. However, jobs for which candidates need AI expertise grew 4% in the same period, while jobs requiring generative AI skills ballooned 38%.

“Executives are concerned about a labor shortage and skill gap in this area, thus creating the need to upskill existing or future workforces,” IoT Analytics Principal Analyst and report author Philipp Wegner wrote in an article.

Meanwhile, roles requiring 5G expertise grew 13% quarter-on-quarter, while those requiring WiFi expertise were up 2%.

^{(Source: IoT Analytics’ “State of Tech Employment Spring 2024” report, April 2024)}

For more information about the tech jobs market:

• “2024 In-Demand Technology Roles and Hiring Trends” (Robert Half)
• “Will Tech Hiring Surge in 2024? Or Not? Here's New Data” (Hired)
• “The 15 most in-demand tech jobs for 2024 — and how to hire for them” (CIO)

5 - CISA’s new malware analysis tool now generally available

Need suspicious files analyzed? You can now submit them to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which made its Malware Next-Generation Analysis tool available to all organizations this week.

Users from the U.S. federal government and the U.S. military have had access to Malware Next-Generation Analysis since November. About 1,600 suspicious files have been submitted, and about 200 suspicious or malicious files and URLs have been identified and shared with CISA partners.

“All organizations, security researchers and individuals are encouraged to register and submit suspected malware into this new automated system for CISA analysis,” reads CISA’s announcement of Malware Next-Generation Analysis.

Malware Next-Generation Analysis helps CISA’s threat hunters to “better analyze, correlate, enrich data, and share cyber threat insights with partners,” resulting in faster and sharper responses to cyberthreats, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said in the statement.

6 - NSA offers best practices on data security

The U.S. National Security Agency (NSA) published recommendations this week for organizations seeking to better protect their data from breaches, including customer records, proprietary information, employee data and intellectual property.

The NSA’s data security recommendations are organized into seven areas:

• Data catalog risk alignment, in which all of an organization’s data types are identified and inventoried, and their risks are assessed.
• Enterprise data governance, in which policies are established to ensure data is properly controlled, accessed and shared.
• Data labeling and tagging, in which detailed data attributes are integrated into access control systems
• Data monitoring and sensing, in which all data is associated with observable metadata to enable tracking and alerting
• Data encryption and rights management, in which data is automatically encrypted through tagging and labeling to prevent unauthorized access, modifications and redistribution
• Data loss prevention, in which data leakage or loss caused by unauthorized use, exfiltration or destruction is detected and prevented 
• Data access control, in which data is monitored for unauthorized movement, access or alteration

To get more information, check out:

• The NSA announcement “NSA Issues Guidance for Maturing Data Security”
• The NSA cybersecurity information sheet “Advancing Zero Trust Maturity Throughout the Data Pillar”