Cyber Espionage Attack Targets Microsoft Email Accounts

 An attack on Microsoft customers perpetrated by a China-based threat actor impacted about 25 organizations including government agencies and related accounts.


On July 11, Microsoft disclosed that a China-based threat actor accessed customer email accounts using forged authentication tokens. The China-based threat actor (Storm-0558) gained access to the accounts of 25 customers, among them government organizations. Microsoft shared that Storm-0558 is motivated by espionage.

What does this security incident mean for Microsoft’s customers, and how can cyber espionage targets prepare for continued threat actor activity?

Discovery

On June 16, Microsoft launched an investigation into anomalous mailer activity in response to customer reports. A Federal Civilian Executive Branch reported suspicious activity in its Microsoft 365 cloud environment to Microsoft and the Cybersecurity and Infrastructure Security Agency, according to a cybersecurity advisory released by CISA and the Federal Bureau of Investigation.

Microsoft launched its investigation and discovered that Storm-0558 gained access to email accounts of about 25 customers beginning on May 15. Microsoft noted in its blog that the threat actor was also able to access email data of “a small number of related consumer accounts of individuals likely associated with these organizations.”

Storm-0558 was able to forge authentication tokens using an inactive Microsoft account (MSA) consumer signing key. It used the forged tokens for Azure AD enterprise and MSA consumers to access both Outlook Web Access and Outlook.com. Microsoft is still investigating how the threat actor was able to acquire the key, according to the company’s analysis.

Forged authentication tokens are a sophisticated tactic, often associated with nation-state actors, according to Jonathan Braley, operations manager at Information Technology-Information Sharing and Analysis Center.

Braley points to another example of this tactic used in the service of cyber espionage. “Russian threat actors tracked as APT29 have abused misconfigured Active Directory Certificate Services (AD-CS) certificate templates to impersonate admin users and create additional authentication certificates,” he shares.

Microsoft has observed Storm-0558’s activity in the past and has “moderate confidence” that the group is a China-based threat actor. “In past activity observed by Microsoft, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests,” according to the company’s analysis of Storm-0558’s techniques.

Attack Mitigation

Microsoft has stopped Storm-0558 from accessing customers’ email accounts. The company detailed the actions it took to mitigate the attack. It blocked the use of tokens signed with the MSA key acquired by the threat actor and replaced the key to prevent the threat actor from forging tokens. The company also launched automated detections for indicators of compromise associated with Storm-0558’s attack.

“We have continuously improved the security of the MSA key management systems since the acquired MSA key was issued, as part of defense in depth, to ensure the safety and security of consumer keys,” the company shared in its blog.

Microsoft contacted the customers impacted by the attack and gave them information on how to respond. Microsoft customers that have not been contacted have not been impacted by this attack. The company reports that no customer action is required to mitigate the threat actor’s token forgery technique.

“Microsoft dug in deep to piece this all together, and they ultimately shared what they could with the community,” says Charles Carmakal, Mandiant consulting CTO at Google Cloud.

Organizations that have been impacted will likely have to investigate the extent of the breach and monitor their accounts for any suspicious activity. “If any data was compromised, they should assess the potential impact and take appropriate steps, which may include notifying affected parties and working with legal and cybersecurity professionals,” says Craig Jones, vice president of security operations at extended managed detection and response company Ontinue.

The CISA and FBI joint cybersecurity advisory includes logging recommendations for organizations to identify similar malicious activity. The federal agencies recommend organizations to enable Purview Audit (Premium) logging, enable Microsoft 365 Unified Audit Logging, ensure logs are searchable, and understand their cloud baseline.

Access to logging was a key issue in incident response to this attack. Microsoft notified human rights organization Volexity that it was compromised by the Storm-0558 breach, but the organization was unable to find evidence of the compromise in its logs. Volexity had an E3 license, but it would have needed to pay Microsoft for an E5-level license to find the evidence of compromise.

“As cyberattacks become more advanced, I foresee cloud service providers having to rethink their pricing models when it comes to certain security features, particularly logs,” says Teresa Rothaar, a governance, risk, and compliance analyst at passwords and secrets management company Keeper Security.

1 comment:

Powered by Blogger.