Microsoft Bug Lets Hackers Break More Than Two Dozen Organizations Through Forged Azure AD Tokens


July 15, 2023thnCyber ​​Attack / Enterprise Security


Microsoft on Friday said a validation error in its source code allowed an Azure Active Directory (Azure AD) token forged by a malicious actor known as Storm-0558 to use a Microsoft Account consumer signing key (MSA) to penetrate two dozen organizations.

“Storm-0558 acquires an inactive MSA consumer signing key and uses it to spoof authentication tokens for Azure AD enterprise and MSA consumers to access OWA and,” the tech giant said. said in deeper campaign analysis. “The method the actor used to obtain the key is a matter of ongoing investigation.”

“Although the key was only intended for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been fixed.”

It was not immediately clear whether the token validation issue was being exploited as a “zero-day vulnerability” or if Microsoft was aware of the problem before it went wild.

The attacks targeted around 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and extract mailbox data. No other neighborhoods were said to be impacted.

The exact scope of the breach remains unclear, but it is the latest example of a China-based threat actor conducting cyberattacks to seek sensitive information and stage a silent intelligence coup without attracting attention for at least a month before being discovered in June 2023.

The company was notified of the incident after the US Department of State detected unusual e-mail activity related to Exchange Online data access. Storm-0558 is suspected of being a China-based threat actor who conducted malicious cyber activity consistent with espionage, although China has denied the allegations.

The main targets of hacking crews include US and European diplomatic, economic, and legislative regulatory agencies, and individuals connected to Taiwanese and Uyghur geopolitical interests, as well as media companies, think tanks, and telecommunications equipment and service providers.

It is said to have been active since at least August 2021, orchestrating credential harvesting, phishing campaigns, and OAuth token attacks aimed at Microsoft accounts to pursue its goals.

“Storm-0558 operates with a high level of technical trade and operational security,” Microsoft said, describing it as technically proficient, well resourced, and having a keen understanding of various authentication techniques and applications.


“The actors are well aware of the target environment, logging policies, authentication requirements, policies, and procedures.”

Early access to target networks was realized through phishing and exploiting security flaws in public applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft.

Also used by Storm-0558 are PowerShell and Python scripts to extract email data such as attachments, folder information, and entire conversations using Outlook Web Access (OWA) API calls.


Protecting Against Insider Threats: SaaS Master Security Posture Management

Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.

Join today

Microsoft said since the discovery of the campaign on June 16, 2023, it has “identified root causes, established durable campaign tracking, disrupted malicious activity, strengthened the environment, notified any affected customers, and coordinated with multiple government entities.” It also notes that it’s mitigating issues “on behalf of the customer” starting June 26, 2023.

The reveal comes as Microsoft has faced critics for its handling of the hack and to build forensic capabilities behind additional license barriers, thereby preventing customers from accessing the detailed audit logs that would otherwise help analyze the incident.

“Billing people for the premium features necessary to keep them from being hacked is like selling a car and then charging extra for seat belts and airbags,” said US Senator Ron Wyden. quoted as say.

The development comes as the UK Parliament’s Intelligence and Security Committee (ISC) published The report details China, citing its “highly effective cyber espionage capabilities” and its ability to penetrate diverse foreign government and private sector IT systems.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button