Microsoft disclosed on Friday that a validation flaw in its source code allowed a malicious actor going by Storm-0558 to compromise two dozen organizations by forging Azure Active Directory (Azure AD) tokens using a Microsoft account (MSA) consumer signing key.
In a more detailed campaign analysis, the tech giant stated that “Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com.” The way the actor got the key is still under investigation, according to the statement.
“Despite the key being only meant for MSA accounts, a validation error made it possible to trust this key for signing Azure AD tokens. This problem has been resolved. It’s not immediately clear if the token validation issue was abused in the wild or if it was a “zero-day vulnerability” that Microsoft was already aware of. Approximately 25 organizations, including government agencies and connected consumer accounts, were singled out by the attacks in order to obtain unauthorized email access and exfiltrate mailbox data. There is no claim that any other environment has been affected.
The U.S. State Department discovered suspicious email activity linked to Exchange Online data access, which alerted the company to the incident. Although China has denied the claims, Storm-0558 is thought to be a threat actor based on its engagement in nefarious cyber activities that are consistent with espionage.
The hacking group’s primary targets are U.S. and European diplomatic, economic, and legislative governing bodies, as well as people with ties to Taiwanese and Uyghur geopolitical interests, media outlets, and manufacturers of telecommunications equipment and services.
Storm-0558 is described as technically skilled, well-resourced, and having a thorough understanding of various authentication techniques and applications by Microsoft. “Storm-0558 operates with a high degree of technical tradecraft and operational security,” the company said.
Figure 1. Python code snippet of the token refresh functionality used by the threat actor.
Figure 2. PowerShell code snippet of OWA REST API call to GetConversationItems.
The target’s environment, logging policies, authentication requirements, policies, and procedures are all well-known to the actors. Phishing is used to gain initial access to target networks, and after exploiting security holes in publicly accessible applications, The China Chopper web shell for backdoor access and the Cigril tool for credential theft are deployed.
Storm-0558 also uses PowerShell and Python scripts to extract email data from Outlook Web Access (OWA) API calls, such as attachments, folder information, and entire conversations.
Since the campaign was found on June 16, 2023, Microsoft claimed to have “identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities.” Additionally, it stated that as of June 26, 2023, it had resolved the problem “on customers’ behalf.”
The development also arrives as the U.K.’s Intelligence and Security Committee of Parliament (ISC) published a detailed Report on China, calling out its “highly effective cyber espionage capability” and its ability to penetrate a diverse range of foreign government and private sector IT systems.
Hardening and mitigating
No action is required by the customer to mitigate token spoofing or validation errors in OWA or Outlook.com. Microsoft has resolved this issue on behalf of customers as follows:
- On June 26, OWA stopped accepting tokens issued by
GetAccessTokensForResource for renewal, which has mitigated abuse of token renewal.
- On June 27, Microsoft blocked the use of tokens signed with an MSA key obtained in OWA, preventing further business email activity from threat actors.
- On June 29, Microsoft completed a key exchange to prevent threat actors from using the keys to forge tokens. Microsoft invalidated all of her MSA signatures that were in effect at the time of the incident, including her MSA keys purchased by the attackers. Her new MSA signing key is issued on a significantly updated system that benefits from hardening not present in her MSA key issuance obtained by the attackers.
- Microsoft has increased the isolation of these systems from the corporate environment, applications, and users. Microsoft has improved the monitoring of all systems related to critical activity and enhanced the automatic alerts associated with this monitoring.
- On July 3, Microsoft blocked key usage for all affected private customers to prevent the use of previously issued tokens.
According to ongoing surveillance, all actor activity connected to this incident has been stopped. Microsoft will keep an eye on Storm-0558 activity and put safeguards in place for our clients.
-Manan Sapariya (Security Analyst, PSY9 Security)