Over 21 Million User Records from Microsoft for Sale on Cybercrime Forum

Summary

A post on a cybercrime forum, advertising 21 million user records of Microsoft coincides with the corporate giant's latest advisory on a Cosmos DB vulnerability.
Category Adversary Intelligence
Affected Industries IT and Security
Affected Region Global
Source* F5
TLP# GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
 

Executive Summary

        • CloudSEK’s Threat Intelligence Research team discovered a post on a cybercrime forum, advertising 21 million user records of Microsoft.
        • Our researchers suspect that Microsoft’s latest advisory is possibly related to this incident, which warns its users about a newly discovered vulnerability present on their Cosmos DB.
        • CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.
      Threat actor’s post on the cybercrime forum
      Threat actor’s post on the cybercrime forum
       

      Analysis and Attribution

      On 20 August 2021, a threat actor published a post on a cybercrime forum claiming to have cracked 21 million Microsoft user accounts. Although the actor has not shared samples to substantiate their claim, they have described the process by which the data was obtained.   
      The Process
        • The actor mentions that during a system upgrade Microsoft saved their data in a temporary cloud storage.
        • Further, the actor claims to have gained access to this ‘temporary’ cloud database, through which they received the Hexadecimal form of a cookie, and cracked it using a public legal service.
        • After completing these two steps, the actor gained access to the machine’s information as well as to the files and documents in it.
        • Besides this, the actor also claims to have access to the browsing database along with the following data fields:
          • Website
          • Username
          • Password
      Information from Comments
      In the comments posted on this thread, another threat actor shared a sample of the above-mentioned database, which they received from the original actor from their Telegram chat. Based on the samples, the data provided is as follows:
          • Host name
          • Creation date, last access date, and expiry date.
          • Path
       
      Possible Connections
      This post was published subsequent to an advisory from Microsoft that requested customers to patch their computers due to a vulnerability discovered in their cloud services. However, since the actor has not provided samples or mentioned the specific vulnerability or technology used, our researchers believe, with low confidence, that the two events can only be linked.  

      Impact & Mitigation

      Impact Mitigation
      • The above post contains users’ PII information which can potentially be used by threat actors to conduct various attacks such as:
        • Social engineering attacks
        • Phishing attacks
        • Identity theft
      • Target Cosmos DB account information gathering.
      • Retrieval of the credential key leads to account take over.
      • Loss of data integrity by unauthorized modification and compromise of data confidentiality and exfiltration.

      References 

      https://mobile.reuters.com/article/amp/idUSL1N2PX2W7?__twitter_impression=true

Table of Contents

Request an easy and customized demo for free