Post Content Read More
Related Posts
Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key
Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key
China’s Storm-0558 hacked 25 organizations, including government agencies, using fake tokens for email access, aiming at espionage since May 15, 2023.
However, Storm-0558’s campaign was blocked by Microsoft without affecting other environments. Not only that even, Microsoft also acted promptly by notifying all the targeted customers to secure their systems.
Surprisingly, Microsoft remains unaware of how Chinese hackers acquired an inactive Microsoft account signing key to breach Exchange Online and Azure AD accounts.
The Incident’s Cause is Unknown!
Since discovering the malicious campaign on June 16, 2023, Microsoft has accomplished the following things:-
Swiftly addressed the root cause
Stopped the malicious activities
Strengthened the environment
Notified all the affected customers
Collaborated with government entities
While Microsoft affirmed that the way in which the threat actors obtained or gained access to the key is currently under investigation.
US government officials detected unauthorized access to multiple Exchange Online email services of government agencies, triggering the incident report.
Storm-0558, observed by Microsoft, primarily targets the following entities:-
US and European governing bodies
Individuals related to Taiwan
Individuals related to Uyghur interests
Media companies
Think tanks
Telecom providers
Besides this, their primary objective is to get unauthorized email account access of targeted organizations’ employees.
It’s been discovered by Microsoft that through Outlook Web Access (OWA) Storm-0558 accessed customer Exchange Online data. Initially, it was believed that the actor stole Azure AD tokens using malware on infected devices.
Security researchers at Microsoft discovered that the threat actor forged Azure AD tokens using an acquired MSA consumer signing key, which is a validation error in Microsoft code that allowed this abuse.
Techniques Used by Hackers
The techniques that were used by threat actors during this incident are mentioned below:-
Token forgery: The identity of entities seeking resource access, like email was verified by the authentication tokens, and the identity providers, such as Azure AD, issue these tokens to the requesting entity and sign them with a private key for authenticity. While the relying parties validate tokens using a public key, but, acquiring a private signing key enables an actor to forge tokens with valid signatures, tricking relying parties and in total, it’s known as “token forgery.”
Identity techniques for access: Using the forged token, the threat actor authenticated and accessed the OWA API to obtain Exchange Online access tokens from the GetAccessTokenForResource API. A design flaw allowed the actor to present a previously issued token, but it has been rectified to only accept Azure AD or MSA tokens. With these tokens, from the OWA API, the threat actor retrieved mail messages.
Ways Storm-0558 Executes Attacks
Moreover, to access the OWA Exchange Store service, Storm-0558 leverages:-
PowerShell
Python scripts
REST API calls
Through Tor or hardcoded SOCKS5 proxy servers, the web requests are sent, and for issuing requests the threat actor employs various User-Agents like:-
Client=REST;Client=RESTSystem;;
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52
“Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″
Sensitive data, including bearer access tokens and email information, is hardcoded in the scripts used by the threat actor to make OWA API calls. Additionally, for future OWA commands, the threat actor can refresh the access token.
Storm-0558 extensively utilized dedicated infrastructure with SoftEther proxy software, posing challenges for detection and attribution.
Microsoft Threat Intelligence successfully profiled this proxy infrastructure and correlated it with the actor’s intrusion techniques during their response.
The post Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key appeared first on Cyber Security News.
Cyber Security News
Most Common AD Misconfigurations Leading to Cyberattacks
Most Common AD Misconfigurations Leading to Cyberattacks
Active Directory (AD) is one of the most widely used services that allow organizations to manage users, computers, and other resources inside their internal network as it offers centralized authentication and authorization mechanisms for Windows and applications.
Moreover, Administrators can easily manage the control to access network resources, enforce security policies, manage device configuration, and much more. Additionally, the setting up of Active Directory is relatively easier for organizations, which makes it widely adopted by organizations worldwide.
Though there are several security implementations in place inside Active Directory, Administrators must be aware of some default configurations and take necessary actions to secure the environment with best practices and security measures.
Common Active Directory Misconfigurations
According to the NVISO Labs report, organizations implementing Active Directory have several possibilities of misconfiguration, which can allow threat actors to infiltrate the organizations. Some of the common misconfigurations are,
Administrator accounts are allowed for the delegation
AES encryption is not forced on service accounts
Print Spooler is enabled on Domain controllers
Users can create machine accounts
Unchanged GPOs are not processed on Domain Controllers
Password policy and least privilege
Service accounts
KRBTGT account
Administrator accounts are allowed for the delegation
There is a default account delegation in Active Directory in which an application can act under the name of a user (Kerberos delegation), impersonate a user anywhere within the network (unconstrained delegation), or only impersonate the user to a specific service on a specific computer (constrained delegation).
If an attacker gains access to a delegated administrator account, he could try to impersonate an administrator account and move laterally or compromise the domain.
AES encryption is not forced on service accounts
A kerberoasting attack is possible if AES encryption is not enabled on service accounts and RC4 is not specifically disabled, which will allow a threat actor to request a Kerberos ticket for a specific SPN and brute force its password.
Print spooler is enabled on Domain Controllers
The print spooler service, which is an executable that manages the printing process, can be abused by a threat actor to gain access to the hash of the KRBTGT account. This will result in gaining almost unlimited access to the Active Directory domain.
Users can create machine Accounts
A machine account is an Active Directory object that represents a computer or a device connected to the domain and can have different attributes that store information about the device, can be a member of security groups, can have Group Policies applied, etc.
Suppose a Public Key Infrastructure (PKI) is present in the domain. In that case, an attacker can use it to take advantage of the default Machine certificate template in order to perform a DCSync attack and dump hashes of all users and computers.
Unchanged GPOs are not reprocessed on Domain Controllers
Most GPO settings are only applied when they are new or when they have been changed since the last time the client requested them, which could allow a threat actor to modify a registry key that is normally managed through a GPO for disabling specific security measures.
Password policy and least privilege
Service accounts
Most of the time, there are no password policies for service accounts. Additionally, administrators are allowed to set weak passwords that can be easily brute-forced. In other instances, the passwords for the service accounts were included in their description.
KRBTGT account
The KRBTGT account is a default account that exists in all Active Directory domains and handles all Kerberos requests in the domain. A compromise of this account will allow threat actors to gain access to domain resources.
A complete report about the common misconfigurations in Active Directory has been published by NVISO labs which provides detailed information on the attack, exploitation, and mitigations.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
The post Most Common AD Misconfigurations Leading to Cyberattacks appeared first on Cyber Security News.
Cyber Security News
US Cyber Command Appoints Morgan Adamski as Executive Director
US Cyber Command Appoints Morgan Adamski as Executive Director
[[{“value”:”
United States Cyber Command (USCYBERCOM) has named Ms. Morgan M. Adamski as Executive Director effective June 2024.
The post US Cyber Command Appoints Morgan Adamski as Executive Director appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed