Cyberspies Used Forged Authentication Tokens to Hack Government Emails

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418
Microsoft reported on Tuesday that a Chinese cyberespionage group it tracks as Storm-0558 was recently spotted using forged authentication tokens to hack government email accounts. According to the tech giant, the hackers gained access to the email accounts of roughly 25 organizations, including government agencies and consumer accounts belonging to individuals associated with the targeted entities.

Microsoft’s investigation showed that the threat actor forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. Specifically, the attackers used a Microsoft account (MSA) consumer signing key to forge the tokens.

“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” Microsoft explained. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor.”

The company pointed out that only OWA and Outlook.com were targeted using forged authentication tokens.

Microsoft said it became aware of the attacks on June 16 and an investigation showed that the activity began one month earlier.
Second source
 
Last edited:

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418
Microsoft was tipped off on the existence of Storm-0558’s latest campaign by none other than the US State Department, whose emails were allegedly accessed by the Chinese threat actor.

"In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) says. "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418
Microsoft is providing new details about the techniques used by a Chinese hacking group to infiltrate the email accounts of an estimated 25 organizations and government agencies, reportedly including the account of U.S. Commerce Secretary Gina Raimondo. The new analysis, published Friday, includes new information about two flaws in Microsoft’s own systems and code that, unbeknownst to the company at the time, helped to open the door to the hackers.

Microsoft says it has fixed both of the problems, effectively blocked the group’s efforts to maintain ongoing access to the accounts, and taken steps to prevent such situations in the future. However, the company is facing growing scrutiny from the Biden administration over the incident. Meanwhile, Microsoft rival Google is seizing on the hack to make the case that the U.S. government should further diversify its pool of productivity software vendors.
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418
"In a follow-up blog post, Microsoft offered some more details about how this group, known as Storm-0558, managed to gain access to these accounts using the company's online system. Microsoft stated:
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.
Microsoft says no action is needed from its Outlook web customers as it claims "all actor activity related to this incident has been blocked." It added that it will "continue to monitor Storm-0558 activity and implement protections for our customers".
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418
The recently discovered Chinese cyber-espionage campaign against key endpoints in the West continues to send out ripples through the cybersecurity world, as Microsoft announces plans to offer some of its tools for free. A report by the Wall Street Journal claims the Redmond giant is planning on offering some security tools for free, including those that were used by the State Department to spot the intrusion in the first place. This follows a June 2023 incident where the US State Department informed Microsoft of an intrusion in its email inbox.
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418
Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

I believe this all traces back to SolarWinds. In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.

I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,418

Microsoft responds to Tenable criticism of its infosec practices​

As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability. The purpose of an embargo period is to provide time for a quality fix. Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer. In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit.

As both a service provider and a security company, Microsoft appreciates being part of an ecosystem of organizations focused on protecting customers as the highest priority over all other goals. Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top