Microsoft announced on Friday that a source code validation error allowed a malicious actor known as Storm-0558 to forge Azure Active Directory (Azure AD) tokens using a Microsoft Account (MSA) consumer signing key and announced that it was able to infiltrate the organization of
“Storm-0558 obtained an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer access to OWA and Outlook.com,” says tech giant said in a detailed analysis of the campaign. “We are currently investigating how the attacker obtained the key.”
“The key was intended only for MSA accounts, but a validation issue allowed this key to be trusted to sign Azure AD tokens. This issue has been fixed.”
It’s not immediately clear if the token validation issue was exploited as a “zero-day vulnerability” or if Microsoft was already aware of the issue before it was actually exploited.
The attack targeted approximately 25 organizations, including government agencies and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. Other environments are not believed to be affected.
The exact scope of the breach remains unknown, but it appears China-based attackers have been conducting cyberattacks in search of sensitive information, and have not received any attention for at least a month before being discovered in June 2023. It is the latest example of a stealth intelligence coup being carried out without collecting any.
The company was informed of the incident after the US State Department detected unusual email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based actor whose malicious cyber activities are consistent with espionage, although China refutes the allegations.
The primary targets of hacking groups include US and European diplomatic, economic and legislative bodies, individuals associated with Taiwanese and Uyghur geopolitical interests, media companies, think tanks, telecommunications equipment and service providers.
Active since at least August 2021, it is said to be orchestrating credential harvesting, phishing campaigns, and OAuth token attacks targeting Microsoft accounts to achieve its goals.
“Storm-0558 operates with a high degree of technical proficiency and operational security,” Microsoft said, adding that the company is technically proficient, well-resourced, and has a wide variety of authentication technologies and applications. He said he understood deeply.
“Attackers are acutely aware of their target environments, logging policies, authentication requirements, policies and procedures.”
Initial access to target networks was achieved through phishing and exploitation of security flaws in published applications, leading to the deployment of a tool called China Chopper web shell for backdoor access and Cigril to facilitate credential theft. be connected.
Storm-0558 also uses PowerShell and Python scripts that use Outlook Web Access (OWA) API calls to extract email data such as attachments, folder information, and entire conversations.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Since the campaign was discovered on June 16, 2023, Microsoft has “identified the root cause, established persistent tracking of the campaign, stopped malicious activity, hardened the environment, and We have notified all our customers and have been coordinating with multiple government agencies.” It also said it would mitigate the issue “on behalf of our customers” from June 26, 2023.
This disclosure is a response to the hack and Microsoft has gated its forensics capabilities behind an additional licensing barrier, which has prevented customers from accessing detailed audit logs that could aid in incident analysis. It was done under criticism.
Senator Ron Wyden said, “Charging for premium features that you need to stay unhacked is like selling your car and then charging extra for seatbelts and airbags.”
The move comes as the UK Parliament’s Information Security Committee (ISC) released a detailed report on China, highlighting China’s “highly effective cyber espionage capabilities” and the diverse IT capabilities of foreign governments and the private sector. It was done in response to criticism of its ability to break into systems.
