China’s Storm-0558 hacked 25 organizations, including government agencies, using fake tokens for email access, aiming at espionage since May 15, 2023.
However, Storm-0558’s campaign was blocked by Microsoft without affecting other environments. Not only that even, Microsoft also acted promptly by notifying all the targeted customers to secure their systems.
Surprisingly, Microsoft remains unaware of how Chinese hackers acquired an inactive Microsoft account signing key to breach Exchange Online and Azure AD accounts.
The Incident’s Cause is Unknown!
Since discovering the malicious campaign on June 16, 2023, Microsoft has accomplished the following things:-
Swiftly addressed the root cause
Stopped the malicious activities
Strengthened the environment
Notified all the affected customers
Collaborated with government entities
While Microsoft affirmed that the way in which the threat actors obtained or gained access to the key is currently under investigation.
US government officials detected unauthorized access to multiple Exchange Online email services of government agencies, triggering the incident report.
Storm-0558, observed by Microsoft, primarily targets the following entities:-
US and European governing bodies
Individuals related to Taiwan
Individuals related to Uyghur interests
Besides this, their primary objective is to get unauthorized email account access of targeted organizations’ employees.
It’s been discovered by Microsoft that through Outlook Web Access (OWA) Storm-0558 accessed customer Exchange Online data. Initially, it was believed that the actor stole Azure AD tokens using malware on infected devices.
Security researchers at Microsoft discovered that the threat actor forged Azure AD tokens using an acquired MSA consumer signing key, which is a validation error in Microsoft code that allowed this abuse.
Techniques Used by Hackers
The techniques that were used by threat actors during this incident are mentioned below:-
Token forgery: The identity of entities seeking resource access, like email was verified by the authentication tokens, and the identity providers, such as Azure AD, issue these tokens to the requesting entity and sign them with a private key for authenticity. While the relying parties validate tokens using a public key, but, acquiring a private signing key enables an actor to forge tokens with valid signatures, tricking relying parties and in total, it’s known as “token forgery.”
Identity techniques for access: Using the forged token, the threat actor authenticated and accessed the OWA API to obtain Exchange Online access tokens from the GetAccessTokenForResource API. A design flaw allowed the actor to present a previously issued token, but it has been rectified to only accept Azure AD or MSA tokens. With these tokens, from the OWA API, the threat actor retrieved mail messages.
Ways Storm-0558 Executes Attacks
Moreover, to access the OWA Exchange Store service, Storm-0558 leverages:-
REST API calls
Through Tor or hardcoded SOCKS5 proxy servers, the web requests are sent, and for issuing requests the threat actor employs various User-Agents like:-
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/220.127.116.11 Safari/537.36 Edg/106.0.1370.52
“Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″
Sensitive data, including bearer access tokens and email information, is hardcoded in the scripts used by the threat actor to make OWA API calls. Additionally, for future OWA commands, the threat actor can refresh the access token.
Storm-0558 extensively utilized dedicated infrastructure with SoftEther proxy software, posing challenges for detection and attribution.
Microsoft Threat Intelligence successfully profiled this proxy infrastructure and correlated it with the actor’s intrusion techniques during their response.
The post Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key appeared first on Cyber Security News.
Cyber Security News