On Friday, Microsoft revealed that an error in its source code allowed counterfeit Azure Active Directory (Azure AD) tokens to be created by a nefarious actor known as Storm-0558. The actor breached two dozen organisations using a Microsoft account (MSA) consumer signing key.
Storm-0558 obtained an inactive MSA consumer signing key, which they then used to fabricate authentication tokens for Azure AD enterprise and MSA consumers. These tokens provided them with unauthorised access to OWA and Outlook.com. In their in-depth review of the situation, Microsoft stated they’re still investigating how the actor acquired the key.
Though the key was intended solely for MSA accounts, a validation error allowed it to be trusted for Azure AD token signing. This issue, however, has been addressed and rectified.
It’s uncertain whether this token validation issue was exploited as an unknown vulnerability (a “zero-day”) or if Microsoft was already conscious of the problem before its exploitation.
The attacks targeted about 25 organisations, including governmental entities and linked consumer accounts, for unauthorised email access and mailbox data theft. It’s stated that no other environments were affected.
The incident came to Microsoft’s attention after the U.S. State Department noticed suspicious email activity tied to Exchange Online data access. It’s speculated that Storm-0558 is a Chinese threat actor engaged in malevolent cyber activities aligned with espionage. China, however, has denied these claims.
Also Read: “Meta Puts EU Access to Threads App on Hold Amid Regulatory Concerns”
The hacking group targeted U.S. and European diplomatic, economic, and legislative entities and individuals linked to Taiwan and Uyghur geopolitical interests. Media companies, think tanks and telecommunication equipment, and service providers were also among the targets.
Since August 2021, Storm-0558 has been conducting credential harvesting, phishing campaigns, and OAuth token attacks on Microsoft accounts to achieve its objectives.
“Storm-0558 displays a high level of technical and operational expertise,” Microsoft noted, characterising the group as technologically proficient, adequately resourced, and possessing an in-depth comprehension of various authentication methods and applications. “They exhibit a deep understanding of the target’s environment, logging policies, and authentication requirements, policies, and procedures.”
Their initial entry into target networks was achieved through phishing and exploiting vulnerabilities in public-facing applications, followed by installing the China Chopper web shell for backdoor access and a tool named Cigril for credential theft.
Storm-0558 also utilised PowerShell and Python scripts to extract email data, including attachments, folder info, and conversations using Outlook Web Access (OWA) API calls.
According to Microsoft, since discovering the campaign on June 16, 2023, they have “identified the root cause, established robust campaign tracking, disrupted malicious activities, fortified the environment, informed all affected customers, and liaised with multiple government bodies.
The full extent of the breach is still uncertain. Still, it’s the most recent instance of a China-based threat actor conducting cyber-attacks to obtain sensitive data and successfully pulling off a covert intelligence operation undetected for at least a month before it was discovered in June 2023.
This news also comes as the U.K.’s Intelligence and Security Committee of Parliament (ISC) published a comprehensive Report on China, highlighting its “strongly efficient digital spying ability” and the capacity to access various IT systems used by other governments and the corporate sector.