Binary Ballet: China’s Espionage Tango with Microsoft
August 2023 by SecurityHQ
Microsoft and the CISA have recently disclosed a major security incident which has impacted multiple customers of Exchange Online and Outlook.com. This incident has been attributed to Chinese Threat Actor Storm-0558, who acquired a private encryption key (MSA key) and used it to forge access tokens for Outlook Web Access (OWA) and Outlook.com. Additionally, the threat actor reportedly exploited two security issues in Microsoft’s token verification process.
Why You Should Care About this Threat
Identity Provider’s signing keys are critical to modern security as they ensure the integrity of the authentication data exchanged between multiple parties, preventing tampering and unauthorized access. These keys underpin the entire authentication ecosystem. The significance of this compromised key lies in its ability to provide direct access to various Microsoft resources, including email infrastructure, file services, and cloud accounts.
This is more than a typical supply chain attack, as we can see the repercussions manifesting themselves in Microsoft’s panicked response, allowing unlimited logging access illustrates a move away from a financial motivator for cybersecurity - based remediation actions, and a more focused threat detection and mitigation approach.
In an unprecedented move, Microsoft in collaboration with the CISA, have expanded access to cloud logging data for customers across the globe at no additional cost, to enable easier detection and prevention for enterprises.
The MS team have taken several steps related to this, they have hardened key issuance systems since the acquired MSA key was initially issued, added increased isolation of the systems, and they have refined their monitoring of system activity.
Threat Actor Profile
Microsoft Threat Intelligence has identified several distinct Storm-0558 capabilities that facilitate the threat actor’s intrusion techniques.
Storm-0558 uses a repository of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. For example, Storm-0558 has the capability to use access tokens to extract email data such as:
Email Body and Subject.
Email Folder Information and metadata.
The scripts contain extremely sensitive hardcoded information such as bearer access tokens and email data, which the threat actor uses to perform the OWA API calls. The threat actor has the capability to refresh the access token for use in subsequent OWA commands, adding a layer of persistence.
Next Steps to Safeguard Against this Threat
Whilst the goals of Storm-0558 is to remain opaque, the response from Microsoft has had an adverse effect on consumer confidence and identified systemic shortcomings. The difficulty in understanding the full scale of this attack lies in the lack of sufficient logs to determine if companies were compromised, meaning the foundational incident response processed has been hamstrung.
This points to a problem on a grander scaler than previously thought. The fact that Microsoft’s logging capabilities have come into question undermines faith in the largest technology provider in history, and further cements the idea that threat actors are moving at a pace that large business cannot keep up with.
SecurityHQ Threat Intelligence team have been following the developments of this closely, and there are two services that can alleviate some of the pressure that such attacks can cause.
Our Vulnerability Management Service, and Penetration Testing Services (combined VAPT) can identify and remediate misconfigurations in both on-premises and clous environments, meaning structural weaknesses in an enterprise such as this can be remedied, and hardened to minimise any potential impact.
This is enriched by Threat and Risk Intelligence (TRI) to stay ahead of any potential issues and leverage Dark Web Intelligence, to spot when these campaigns and attacks are in their infancy. This in turn empowers business to stay ahead of malicious actors, and ensures business continuity, protects sensitive data, and maintains consumer trust, all while maturing a risk management system.
SecurityHQ’s Threat Intelligence Team
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks.
Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.