• Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period.
• Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access.
• Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan.
• Rclone was used to exfiltrate data to a remote server using SFTP.
• The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.

In January 2024, Microsoft discovered they'd been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn't a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.

Senior execs' emails accessed in network breach that wasn't caught for 2 months.