Malware Spotlight

The Eye of the Storm: Malware in Focus

In June 2023, a Federal Civilian Executive Branch (FCEB) agency in the United States uncovered unusual email behavior, subsequently revealing a fresh espionage campaign connected to China. A month later, on July 11th, Microsoft released a blog post revealing that a Chinese-based hacking group gained access to an unspecified number of email accounts across approximately 25 organizations. This hacking group, known as Storm-0558, primarily targets government agencies in the United States and Western Europe and focuses on espionage and data theft.  

The attack began on May 15, 2023, when Storm-0558 used forged authentication tokens to access various government agencies simultaneously (the State Department was the first to publicly disclose the breach). The hackers acquired an inactive Microsoft account (MSA) consumer signing key and exploited a validation error in Microsoft code. This allowed them to forge Azure Active Directory (Azure AD) tokens, which were then used to gain unauthorized access to Outlook Web Access (OWA) and Outlook.com accounts. As a result, the threat actors could extract sensitive information from targeted email accounts. In an in-depth analysis of the issue, the Microsoft security team stated, “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”

Initially, Microsoft indicated that only these two services (OWA and Outlook.com) were affected by the token forging technique. However, further investigation by Wiz Research revealed that the compromised signing key had more extensive capabilities than previously reported. The compromised MSA key could have allowed the threat actor to forge access tokens for various Azure AD applications, including widely used services like SharePoint, Teams, and OneDrive, as well as customers’ applications supporting “login with Microsoft” functionality. While Microsoft has since revoked the compromised key, Wiz said the hackers may have leveraged the access they gained to establish persistence in a victim’s network.

To protect against potential threats, Microsoft advises its users to refresh the cache of local stores and certificates, update their Azure SDK to the latest version, and monitor application-specific logs for any suspicious activities related to the compromised key.

The full extent of the breach remains uncertain, but it serves as yet another instance of a China-based threat actor carrying out cyberattacks to obtain sensitive information. The intrusion was detected in close proximity to Secretary of State Antony Blinken’s visit to China, raising suspicions of a possible strategic connection. The timing of the attack aligns with the Chinese Communist Party’s political strategy, which aims to undermine the reputation of the United States while bolstering their own position on the global stage. As it stands, the only known cabinet-level official that was impacted by this attack is Commerce Secretary Gina Raimondo. According to the FBI, the breaches have been mitigated but an ongoing investigation continues. A senior official from the Department of Homeland Security also said that of the 25 organizations impacted, fewer than 10 were from the United States. 

While attacks happen often and it is not possible to defend against every attack every time, Microsoft is under fire for this attack because of its convoluted cloud computing tiers. Victims that were not enrolled in Microsoft’s Premium Cloud Tier could not detect the intrusion as that feature was limited to the more expensive options.

Logging software is a crucial tool that allows companies to detect and investigate cyber attacks by recording and monitoring activity on their servers.  For government Microsoft clients, these packages are referred to as G5 (the top tier) and G3 (the standard tier), respectively. The problem arose when victims of the attack using the less-expensive Microsoft G3 software license did not have access to critical log files that could have potentially helped identify the intrusion. Although the State Department (which had access to the logging tools) managed to detect anomalous activity and report it to Microsoft, other victims who were not enrolled in the premium service remained unaware of the breach.

Access to log files are essential for investigating and tracing cybercriminal activities, especially after a breach occurs. The log files serve as digital ledgers, recording various activities on Microsoft’s cloud, such as browser usage and operating system access, providing invaluable clues for post-attack analysis. By restricting access to this crucial data, Microsoft inadvertently left many of its customers vulnerable and unable to properly investigate the attack.

After much scrutiny from government agencies and cybersecurity experts, Microsoft announced that it will offer all customers wider access to security logs for free to help improve finding hackers on customer networks. Microsoft plans to make more than 30 different log data types available for free to customers who have a license for Microsoft’s lower-cost cloud services. Microsoft will also begin storing up to 180 days of logging activity by default, double the previous limit of 90 days. 

By ensuring that access to log files and security data is standard across all service packages, companies can detect and mitigate cyber threats with greater vigilance, reducing the risk of sophisticated espionage campaigns and data breaches. A greater level of transparency and commitment to security from cloud service providers is crucial to prevent future incidents with far-reaching implications.