/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Microsoft is still trying to figure out how Chinese hackers managed to steal the Microsoft Account User Signature Key (MSA) and use it to target more than two dozen email accounts of various businesses and government organizations in the West. Did.
In a deeper analysis of the incident, the company confirmed that the theft is still under investigation: “The manner in which the actor obtained the keys is the subject of an ongoing investigation,” the article said. “Although the key was only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”
Further in the report, the company says that its investigation, which began about a month ago, found that post-compromise activity was “limited to email access and intrusions for targeted users.”
Microsoft has fixed the issue saying that no activity is required on the part of the user. Nevertheless, the emails were breached and potentially sensitive data was taken. The group behind the attack is being tracked as Storm-0558, which Microsoft says is a Chinese cyber-espionage group focused on data theft.
Analysis: Why does it matter?
The attack was likely carried out by a Chinese state-sponsored threat actor, which means the Chinese government is behind it. Furthermore, in the attack, some of the victims are US government agencies, such as the State Department and the Department of Commerce. If the Chinese get access to sensitive information from these email accounts (which they probably do have), it could have major implications for national security. Plus, obtaining private, sensitive data allows threat actors to launch even more destructive attacks, including identity theft, wire fraud, ransomware, and more.
In recent days, relations between the United States and China have deteriorated significantly. While tensions over the development of 5G infrastructure escalated and the Trump administration banned Huawei from developing key parts of the network, things began to heat up even more around Taiwan. While China, as it claims, is preparing an all-out invasion to reunite Taiwan with mainland China and bring it back under its sovereignty, US President Joe Biden said the state would use arms if needed. Will also protect the island nation.
Stealing sensitive data from the US government could give China an edge in dealing with its Western rival on the global stage.
What have others said about it?
Microsoft reported that it noticed the campaign, which had been active for about a month at the time, after a customer reported it. It was later revealed that the client was, in fact, the US State Department.
The company confirmed that the attack was carried out using Forgotten Authentication Tokens, which allowed threat actors to access email using acquired Microsoft Account consumer signing keys. This is the key Microsoft still doesn’t know how it was stolen.
“The Microsoft investigation revealed that Storm-0558 gained access to customer email accounts by creating authentication tokens to access user email using Outlook Web Access in Exchange Online (OWA) and Outlook.com,” Microsoft reported.
“The actor used the acquired MSA key to generate tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token verification issue to impersonate Azure AD users and gain access to enterprise mail. We have no indication that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have seen actors using forged tokens with acquired MSA keys.
Potentially affected customers don’t have to do anything to stay protected, Microsoft said, because the update was done by the company. The Redmond software giant said it contacted the targeted firms directly, and provided them with critical information needed for mitigation and response. Microsoft concluded, “If you have not been contacted, our investigation indicates that you have not been affected.”
In his report on the news, bleepingcomputer Added that after all active MSA signing keys were revoked, and the API flaw was mitigated, the attackers switched to newer techniques. “In addition, we have seen Storm-0558 divert to other technologies, which indicates that the actor has not been able to use or access any signing keys,” Microsoft said.
sc magazineOn the other hand, reminds its readers that this was no ordinary cyberattack, but an “advanced and strategically executed” attack.
“Nation-state attackers have the resources and skills to break into accounts, and once inside they can also remain unknown. In this attack, the Storm-0558 attackers were hiding within government email accounts, with access to data in those accounts, up to a month before the targeted agencies noticed unusual mail activity,” it reminds.
The publication also states that IT teams generally face an uphill battle against cybercriminals, as cybercriminals often misuse previously unknown vulnerabilities to break into systems and infiltrate endpoints. . However, that doesn’t mean they can’t fight them. It simply means they need a “layered security approach,” which includes MFA, app security programs, behavior-based anomaly detection, and more.
go deeper
If you want to know more about this attack, be sure to read our initial report. Plus, you should read our in-depth guide to what phishing is, what are the best firewalls for SMB, and our guide on the best malware removal tools right now.
