July 15, 2023THNMoreCyber ​​Attack / Enterprise Security

Microsoft announced on Friday that a source code validation error allowed a malicious actor known as Storm-0558 to forge Azure Active Directory (Azure AD) tokens using a Microsoft Account (MSA) consumer signing key and announced that it was able to infiltrate the organization of

“Storm-0558 obtained an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumers to access OWA and Outlook.com,” said the tech giant. I’m here. Said Analyze your campaigns in more detail. “We are currently investigating how the attacker obtained the key.”

“The key was intended only for MSA accounts, but a validation issue allowed this key to be trusted to sign Azure AD tokens. This issue has been fixed.”

It’s not immediately clear if the token validation issue was exploited as a “zero-day vulnerability” or if Microsoft was already aware of the issue before it was actually exploited.

The attack targeted approximately 25 organizations, including government agencies and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. Other environments are not believed to be affected.

The company was informed of the incident after the US State Department detected unusual email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based actor whose malicious cyber activities are consistent with espionage, although China refutes the allegations.

The primary targets of hacking groups include US and European diplomatic, economic and legislative bodies, individuals associated with Taiwanese and Uyghur geopolitical interests, media companies, think tanks, telecommunications equipment and service providers.

Active since at least August 2021, it is said to be orchestrating credential harvesting, phishing campaigns, and OAuth token attacks targeting Microsoft accounts to achieve its goals.

“Storm-0558 operates with a high degree of technical proficiency and operational security,” Microsoft said, adding that the company is technically proficient, well-resourced, and has a wide variety of authentication technologies and applications. He said he understood deeply.


“Attackers are acutely aware of their target environments, logging policies, authentication requirements, policies and procedures.”

Initial access to the target network is achieved through phishing and exploitation of security flaws in published applications, leading to the deployment of a tool called the China Chopper web shell for backdoor access. Sigril To facilitate credential theft.

Storm-0558 also uses PowerShell and Python scripts that use Outlook Web Access (OWA) API calls to extract email data such as attachments, folder information, and entire conversations.

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

Since the campaign was discovered on June 16, 2023, Microsoft has “identified the root cause, established persistent tracking of the campaign, stopped malicious activity, hardened the environment, and We have notified all our customers and have been coordinating with multiple government agencies.” It also said it would mitigate the issue “on behalf of our customers” from June 26, 2023.

The exact scope of the breach remains unknown, but it appears that China-based attackers sought sensitive information and carried out cyberattacks that went unnoticed for at least a month before being discovered in June 2023. It is the latest example of carrying out a stealth intelligence coup.

This disclosure was made as Microsoft did faced criticism This is to gate the processing of hacks and forensics capabilities behind an additional licensing barrier, which prevents customers from accessing detailed audit logs that may help analyze incidents. .

US Senator Ron Wyden said, “Charging people for premium features they need to stay unhacked is like selling a car and then charging extra for seatbelts and airbags. ‘ said. Quote as they say.

This development has also taken place as the UK Parliamentary Information Security Committee (ISC). published A detailed report on China points to China’s “highly effective cyber espionage capabilities” and its ability to infiltrate diverse IT systems of foreign governments and the private sector.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog