MOVEit bug impacts state governments. Johns Hopkins suffers data breach. Choosing the right cyber insurance. Read More
The CyberWire
The all in one place for non-profit security aid.
MOVEit bug impacts state governments. Johns Hopkins suffers data breach. Choosing the right cyber insurance. Read More
The CyberWire
FBI Investigation Confirms that Iran Hackers Behind Trump Campaign Hack
The Federal Bureau of Investigation (FBI), in collaboration with the Office of the Director of National Intelligence (ODNI) and the Cybersecurity and Infrastructure Security Agency (CISA), has confirmed that Iranian hackers were responsible for a recent cyberattack targeting former President Donald Trump’s campaign.
This revelation underscores the ongoing threat of foreign interference in U.S. elections, with Iran seeking to exploit societal tensions and influence electoral outcomes.
The joint statement released by the ODNI, FBI, and CISA highlights Iran’s longstanding interest in exploiting societal tensions through cyber operations.
The intelligence community (IC) has observed increasingly aggressive Iranian activities during this election cycle, explicitly targeting presidential campaigns.
These operations aim to access sensitive information and influence the U.S. election process. Iran’s cyber activities are not limited to the Trump campaign.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The IC has reported that Iranian hackers have attempted to access individuals with direct ties to presidential campaigns from both major political parties. These efforts include social engineering tactics and cyber operations designed to compromise campaign security and manipulate electoral outcomes.
The recent hack is part of a broader pattern of foreign interference in U.S. elections. Both Iran and Russia have employed similar tactics in previous election cycles, not only in the United States but also in other countries worldwide.
These activities aim to undermine confidence in democratic institutions and complicate the ability of any U.S. administration to pursue foreign policies that may conflict with Iran’s interests.
The statement emphasizes that Iran perceives the current election cycle as consequential for its national security interests, increasing its inclination to shape the outcome through cyber operations.
This underscores the importance of safeguarding the integrity of the electoral process from foreign influence or interference.
In response to the confirmed Iranian hack, the FBI has been actively tracking the activity and working closely with victims to gather information and disrupt the threat actors responsible.
The agency and its public and private sector partners are committed to sharing information, bolstering security, and identifying and mitigating any threats to the electoral process.
The statement also highlights the need for increased resilience of online platforms to prevent such cyber intrusions. Recommendations include using strong passwords, employing official email accounts for official business, updating software regularly, and enabling multi-factor authentication.
These measures are crucial in enhancing cybersecurity and protecting sensitive information from foreign interference.
As the U.S. prepares for upcoming elections, the focus remains on ensuring the integrity and security of the electoral process, with a firm stance against foreign efforts to influence or interfere with American political campaigns.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
The post FBI Investigation Confirms that Iran Hackers Behind Trump Campaign Hack appeared first on Cyber Security News.
Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key
China’s Storm-0558 hacked 25 organizations, including government agencies, using fake tokens for email access, aiming at espionage since May 15, 2023.
However, Storm-0558’s campaign was blocked by Microsoft without affecting other environments. Not only that even, Microsoft also acted promptly by notifying all the targeted customers to secure their systems.
Surprisingly, Microsoft remains unaware of how Chinese hackers acquired an inactive Microsoft account signing key to breach Exchange Online and Azure AD accounts.
Since discovering the malicious campaign on June 16, 2023, Microsoft has accomplished the following things:-
Swiftly addressed the root cause
Stopped the malicious activities
Strengthened the environment
Notified all the affected customers
Collaborated with government entities
While Microsoft affirmed that the way in which the threat actors obtained or gained access to the key is currently under investigation.
US government officials detected unauthorized access to multiple Exchange Online email services of government agencies, triggering the incident report.
Storm-0558, observed by Microsoft, primarily targets the following entities:-
US and European governing bodies
Individuals related to Taiwan
Individuals related to Uyghur interests
Media companies
Think tanks
Telecom providers
Besides this, their primary objective is to get unauthorized email account access of targeted organizations’ employees.
It’s been discovered by Microsoft that through Outlook Web Access (OWA) Storm-0558 accessed customer Exchange Online data. Initially, it was believed that the actor stole Azure AD tokens using malware on infected devices.
Security researchers at Microsoft discovered that the threat actor forged Azure AD tokens using an acquired MSA consumer signing key, which is a validation error in Microsoft code that allowed this abuse.
The techniques that were used by threat actors during this incident are mentioned below:-
Token forgery: The identity of entities seeking resource access, like email was verified by the authentication tokens, and the identity providers, such as Azure AD, issue these tokens to the requesting entity and sign them with a private key for authenticity. While the relying parties validate tokens using a public key, but, acquiring a private signing key enables an actor to forge tokens with valid signatures, tricking relying parties and in total, it’s known as “token forgery.”
Identity techniques for access: Using the forged token, the threat actor authenticated and accessed the OWA API to obtain Exchange Online access tokens from the GetAccessTokenForResource API. A design flaw allowed the actor to present a previously issued token, but it has been rectified to only accept Azure AD or MSA tokens. With these tokens, from the OWA API, the threat actor retrieved mail messages.
Moreover, to access the OWA Exchange Store service, Storm-0558 leverages:-
PowerShell
Python scripts
REST API calls
Through Tor or hardcoded SOCKS5 proxy servers, the web requests are sent, and for issuing requests the threat actor employs various User-Agents like:-
Client=REST;Client=RESTSystem;;
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52
“Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″
Sensitive data, including bearer access tokens and email information, is hardcoded in the scripts used by the threat actor to make OWA API calls. Additionally, for future OWA commands, the threat actor can refresh the access token.
Storm-0558 extensively utilized dedicated infrastructure with SoftEther proxy software, posing challenges for detection and attribution.
Microsoft Threat Intelligence successfully profiled this proxy infrastructure and correlated it with the actor’s intrusion techniques during their response.
The post Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key appeared first on Cyber Security News.
Cyber Security News
Exploit released for Cisco SSM bug allowing admin password changes
Cisco warns that exploit code is now available for a maximum severity vulnerability that lets attackers change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers. […] Read More