How Did Hackers Breach Microsoft’s Security, Create Millions of Fake Accounts?

This file photo from April 12, 2016, shows the Microsoft logo in Issy-les-Moulineaux, outside Paris, France. (AP Photo/Michel Euler, File)
This file photo from April 12, 2016, shows the Microsoft logo in Issy-les-Moulineaux, outside Paris, France. (AP Photo/Michel Euler, File)
TT
20

How Did Hackers Breach Microsoft’s Security, Create Millions of Fake Accounts?

This file photo from April 12, 2016, shows the Microsoft logo in Issy-les-Moulineaux, outside Paris, France. (AP Photo/Michel Euler, File)
This file photo from April 12, 2016, shows the Microsoft logo in Issy-les-Moulineaux, outside Paris, France. (AP Photo/Michel Euler, File)

The trustworthiness of the online authentication systems used to verify whether the user is human is currently under scrutiny. Microsoft recently uncovered a group of cyber criminals in a major development that exposed the widely-used authentication technique known as “Captcha”.

Microsoft uncovered a group of hackers, "Storm-1152", that sold 750 million fake Microsoft accounts that enable cyber criminals to execute their online attacks.

- The beginning

Storm-1152 is a group of cyber hackers that operates from Vietnam. It managed to overcome all the authentication terms required to create a Microsoft account.

The group initially targets the Captcha technique, a widely-used window that requests a user to type a series of letters or numbers, or click on parts of a picture depicting buses of stairs, to verify that they are human, not robots.

But this authentication method is becoming less efficient, as Storm-1152 found a way to deceive it and create millions of fake accounts.

The hackers used “machine learning” to train their special hacking tool on clicking in the right place on the verification pictures, explained François Deruty, expert at a cybersecurity firm, Sekoia.

Then, the Storm-1152 hackers sold these fake accounts on a website for actors planning attacks, such as phishing emails and ransomware, according to Deruty.

- Famous group

The Vietnamese group is well-known. While other countries like China, Iran, Russia and North Korea make headlines in most cybersecurity attacks news, Vietnam, like India and Türkiye, has many hacking groups that make progress every year, added Deruty.

Microsoft has blocked a part of its websites on the US territories following a federal ruling that approved the closure of the servers that the group breached. “They definitely have other websites somewhere else and an international collaboration is needed to shut them down,” the expert noted.

Defenses against techniques used by cybercriminals

There are novel techniques such as the multifactor authentication, which uses codes sent via SMSs for example, but it’s a matter of time before the hackers figure out its vulnerabilities.

Other methods include security keys provided by banks for better security, but expanding these novel methods require more time and money, while Microsoft still keeps the old versions of its different programs.



Microsoft Server Hack Has Now Hit 400 Victims, Researchers Say

A view shows the Microsoft logo on the day of the Hannover Messe, one of the world's largest industrial trade fairs with this year's partner country being Canada, as both Canada and the European Union face new US tariffs, in Hanover, Germany, March 31, 2025. (Reuters)
A view shows the Microsoft logo on the day of the Hannover Messe, one of the world's largest industrial trade fairs with this year's partner country being Canada, as both Canada and the European Union face new US tariffs, in Hanover, Germany, March 31, 2025. (Reuters)
TT
20

Microsoft Server Hack Has Now Hit 400 Victims, Researchers Say

A view shows the Microsoft logo on the day of the Hannover Messe, one of the world's largest industrial trade fairs with this year's partner country being Canada, as both Canada and the European Union face new US tariffs, in Hanover, Germany, March 31, 2025. (Reuters)
A view shows the Microsoft logo on the day of the Hannover Messe, one of the world's largest industrial trade fairs with this year's partner country being Canada, as both Canada and the European Union face new US tariffs, in Hanover, Germany, March 31, 2025. (Reuters)

A sweeping cyber-espionage campaign organization centered on vulnerable versions of Microsoft's server software has now claimed about 400 victims, according to researchers at Netherlands-based Eye Security.

The figure, which is derived from a count of digital artifacts discovered during scans of servers running vulnerable versions of Microsoft's SharePoint software, compares to 100 organizations cataloged over the weekend. Eye Security says the figure is likely an undercount, Reuters reported.

"There are many more, because not all attack vectors have left artifacts that we could scan for," said Vaisha Bernard, the chief hacker for Eye Security, which was among the first organizations to flag the breaches, Reuters reported.

The spy campaign kicked off after Microsoft failed to fully patch a security hole in its SharePoint server software, kicking off a scramble to fix the vulnerability when it was discovered. Microsoft and its tech rival, Google owner Alphabet, have both said Chinese hackers are among those taking advantage of the flaw. Beijing has denied the claim.

The details of most of the victim organizations have not yet been fully disclosed. Bernard declined to identify them.