uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-07-15 23:38:23

thrive
Member
Registered: 2023-01-04
Posts: 2,068

Microsoft bug allowed hackers to compromise over a dozen organizations

Using a Microsoft account (MSA) consumer signing key to compromise two dozen organizations, Storm-0558, a malicious actor, was able to forge Azure Active Directory (Azure AD) tokens thanks to a validation error in Microsoft's source code, the company said on Friday.

In a more detailed analysis of the campaign, the tech giant stated that "Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com.". "We're still looking into how the actor got his hands on the key. ".

"Although the key was only meant for MSA accounts, a validation error made it possible to trust this key for signing Azure AD tokens. This problem has been fixed. ".

It's not immediately clear if the token validation flaw was used as a "zero-day vulnerability" or if Microsoft was already aware of the issue before it was abused in the wild.

Approximately 25 organizations, including government agencies and connected consumer accounts, were singled out by the attacks in order to obtain unauthorized email access and exfiltrate mailbox data. There is no claim that any other environment has been affected.

After the U.S. S. Anomaly in emails related to Exchange Online data access was discovered by the State Department. Storm-0558 is thought to be a threat actor with a Chinese base who engages in nefarious cyber activities that are consistent with espionage, though China has denied the accusations.


The U.
is one of the hacking group's main targets. S. and European diplomatic, economic, and legislative governing bodies, as well as people with ties to Taiwanese and Uyghur geopolitical interests, as well as media outlets, think tanks, and suppliers of telecommunications equipment and services.

According to reports, it has been operating since at least August 2021, orchestrating attacks on Microsoft accounts using OAuth tokens, phishing campaigns, and credential harvesting.

Microsoft described Storm-0558 as technically skilled, well-resourced, and possessing a keen understanding of various authentication techniques and applications. It stated that it operates with a high degree of technical tradecraft and operational security.


Microsoft.

The actors are well-versed in the environment, logging policies, authentication requirements, policies, and procedures of the target. ".

Phishing is used to gain initial access to target networks, and after exploiting security holes in publicly accessible applications, the China Chopper web shell for backdoor access and the Cigril tool for credential theft are deployed.

PowerShell and Python scripts are also used by Storm-0558 to extract email data from Outlook Web Access (OWA) API calls, including attachments, folder information, and entire conversations.

Microsoft claimed that since the campaign's discovery on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities.". It added that as of June 26, 2023, it had resolved the problem "on behalf of customers.

Uncertainty surrounds the exact scope of the breach, but it represents the most recent instance of a threat actor with a base in China conducting cyberattacks in search of private data and pulling off a covert intelligence coup without drawing attention for at least a month before it was discovered in June 2023.

The revelation comes at a time when Microsoft has come under fire for its handling of the hack and for locking down forensic capabilities behind additional licensing restrictions, preventing customers from accessing thorough audit logs that would have otherwise assisted in the incident's analysis.

"Selling a car and then charging extra for seatbelts and airbags is like selling a car and then charging people for premium features necessary to not get hacked," U. S. Ron Wyden, a senator, was quoted as saying.

Furthermore, the development occurs as the U.
K.
In a thorough report on China, the Intelligence and Security Committee of Parliament (ISC) praised its "highly effective cyber espionage capability" and its capacity to hack into a variety of foreign government and private sector IT systems.

Offline

Board footer

Powered by FluxBB