uTalk

Using a Microsoft account (MSA) consumer signing key to compromise two dozen organizations, Storm-0558, a malicious actor, was able to forge Azure Active Directory (Azure AD) tokens thanks to a validation error in Microsoft's source code, the company said on Friday.

In a more detailed analysis of the campaign, the tech giant stated that "Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com.". "We're still looking into how the actor got his hands on the key. ".

"Although the key was only meant for MSA accounts, a validation error made it possible to trust this key for signing Azure AD tokens. This problem has been fixed. ".

It's not immediately clear if the token validation flaw was used as a "zero-day vulnerability" or if Microsoft was already aware of the issue before it was abused in the wild.

Approximately 25 organizations, including government agencies and connected consumer accounts, were singled out by the attacks in order to obtain unauthorized email access and exfiltrate mailbox data. There is no claim that any other environment has been affected.

After the U.S. S. Anomaly in emails related to Exchange Online data access was discovered by the State Department. Storm-0558 is thought to be a threat actor with a Chinese base who engages in nefarious cyber activities that are consistent with espionage, though China has denied the accusations.

The U.
is one of the hacking group's main targets. S. and European diplomatic, economic, and legislative governing bodies, as well as people with ties to Taiwanese and Uyghur geopolitical interests, as well as media outlets, think tanks, and suppliers of telecommunications equipment and services.

According to reports, it has been operating since at least August 2021, orchestrating attacks on Microsoft accounts using OAuth tokens, phishing campaigns, and credential harvesting.

Microsoft described Storm-0558 as technically skilled, well-resourced, and possessing a keen understanding of various authentication techniques and applications. It stated that it operates with a high degree of technical tradecraft and operational security.

Microsoft.

The actors are well-versed in the environment, logging policies, authentication requirements, policies, and procedures of the target. ".

Phishing is used to gain initial access to target networks, and after exploiting security holes in publicly accessible applications, the China Chopper web shell for backdoor access and the Cigril tool for credential theft are deployed.

PowerShell and Python scripts are also used by Storm-0558 to extract email data from Outlook Web Access (OWA) API calls, including attachments, folder information, and entire conversations.

Microsoft claimed that since the campaign's discovery on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities.". It added that as of June 26, 2023, it had resolved the problem "on behalf of customers.

Uncertainty surrounds the exact scope of the breach, but it represents the most recent instance of a threat actor with a base in China conducting cyberattacks in search of private data and pulling off a covert intelligence coup without drawing attention for at least a month before it was discovered in June 2023.

The revelation comes at a time when Microsoft has come under fire for its handling of the hack and for locking down forensic capabilities behind additional licensing restrictions, preventing customers from accessing thorough audit logs that would have otherwise assisted in the incident's analysis.

"Selling a car and then charging extra for seatbelts and airbags is like selling a car and then charging people for premium features necessary to not get hacked," U. S. Ron Wyden, a senator, was quoted as saying.

Furthermore, the development occurs as the U.
K.
In a thorough report on China, the Intelligence and Security Committee of Parliament (ISC) praised its "highly effective cyber espionage capability" and its capacity to hack into a variety of foreign government and private sector IT systems.

On Wednesday, SonicWall urged users of its Global Management System (GMS) firewall management and Analytics network reporting engine software to update their systems in order to protect themselves from a group of 15 security holes that a threat actor could use to bypass authentication and gain access to confidential data.

Four are classified as Critical, four as High, and seven are classified as Medium among the 15 flaws (tracked from CVE-2023-34123 through CVE-2023-34137). NCC Group made the vulnerabilities public.

Versions of GMS 9.3 that are installed locally are affected by the flaws. 2-SP1 and earlier, and Analytics 2.5. Before 0.4-R7. Versions GMS 9.3 have fixes available. 3 as well as Analytics 2.5. 2.

SonicWall stated that the vulnerabilities "allow an attacker to view data that they are not normally able to retrieve.". Any other data that the application itself has access to, as well as data belonging to other users, may fall under this category. It is frequently possible for an attacker to change or remove this data, permanently altering the application's functionality. ".

The following is a list of the critical issues.

Web Service Authentication Bypass, CVE-2023-34124 (CVSS grade: 9.4).
Multiple unauthenticated SQL injection problems and security filter bypass are both part of CVE-2023-34133 (CVSS grade: 9.8).
Password Hash Read via Web Service, CVE-2023-34134 (CVSS score: 9.8).
Cloud App Security (CAS) Authentication Bypass, CVE-2023-34137 (CVSS grade: 9.4).
The information was made public at the same time that Fortinet disclosed a serious vulnerability that affected FortiOS and FortiProxy (CVE-2023-33308, CVSS score: 9.8) and that, in certain situations, could allow an adversary to execute code remotely. Without issuing an advisory, it claimed that the problem had been fixed in a prior release.

The company stated in an advisory that "a stack-based overflow vulnerability [CWE-124] in FortiOS and FortiProxy may enable a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode along with SSL deep packet inspection.".

FortiOS 7.2 is among the impacted products. 0 to 7.2. three and seven zero. from 0 to 7.0. 10 and 7.2 of FortiProxy.
between 0 and 7.2. 7.0 and 2 are.
between 0 and 7.0. 9.
Below is a list of the versions that close the security gap.

the 7.4 update to FortiOS.
0, or higher.

FortiOS 7.2 is used.
4 or greater.

Release 7.0 of FortiOS.
11 or older.

version 7.2 of FortiProxy. a 3 or higher, and.

Using FortiProxy 7.0. at least ten.

It is important to note that not all versions of FortiOS 6.0, FortiOS 6.2, FortiOS 6.4, and FortiProxy 1 are affected by the bug. FortiProxy 2 and x. x.

Customers who are unable to update right away are advised by Fortinet to disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies in proxy mode.

As part of a brand-new function called Quarantined Domains, Mozilla has disclosed that some add-ons might be prevented from functioning on particular websites.

According to the company's release notes for Firefox 115.0, which was released last week, "We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for a variety of reasons, including security concerns.".

The company warned that malicious actors might take advantage of the add-on ecosystem's openness to their own ends.

Mozilla stated in a separate support document that "this feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered.".

Starting with Firefox version 116, users should have more control over each add-on's settings. However, it can be turned off by entering "about:config" in the address bar and setting "extensions.
quarantinedDomains.
enable" to false.

The innovation broadens Mozilla's ability to remotely disable specific extensions that endanger user security and privacy.

It's important to note that in the current implementation, the alert does not appear if an add-on is pinned to the toolbar because it appears in the Extensions popup rather than on the Extensions icon.

Quarantined Domains in Firefox.
According to security researcher and add-on developer Jeff Johnson, "It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup!".

"As a result, the Extensions popup no longer includes a warning about quarantined domains. In actuality, the Extensions popup is no longer present; instead, selecting the icon in the toolbar simply opens the about addons page, which is devoid of any indications of the quarantined domains warning. ".

The new "security" feature's awful user interface hides the warning from the user while silently disabling extensions, according to Johnson.

Mozilla has stated that it plans to enhance the user experience in upcoming releases, but it has not specified a specific timeframe.

The change also comes as Mozilla condemned a French proposal for browser-based website blocking that would require browser manufacturers to set up systems to forcibly block websites that are listed on a government-provided list in order to combat online fraud.

"Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools," the company claimed.