Storm-0558, a cyberespionage group affiliated with the People’s Republic of China, has reportedly compromised Microsoft Exchange mailboxes of 22 organizations and over 500 individuals between May and June 2023.
This was done by using authentication tokens of accounts that were signed by a Key held by Microsoft in 2016.
This key was used for secure authentication into remote systems. However, this key was possessed by the threat actor, which provided several permissions to access any information or systems within that key’s domain.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Additionally, a single key can have enormous power, which, combined with a flaw in Microsoft’s authentication system, resulted in the threat actor gaining full access to any Exchange online account anywhere in the world.
Moreover, Microsoft is still investigating how Storm-0558 got its hands on this key.
The accounts compromised using this attack included
- Senior United States government representatives working on national security matters
- Email accounts of Commerce Secretary Gina Raimondo,
- United States Ambassador to the People’s Republic of China R. Nicholas Burns and
- Congressman Don Bacon.
Microsoft’s Exchange Server Hack
According to the CSRB reports, during the time the threat actor had access to these sensitive email accounts, they downloaded over 60,000 emails from the State Department.
Moreover, the first victim of this intrusion was the State Department, which was on June 15, 2023, when the SOC team detected anomalies in access to their mail systems.
Following this, the next day, there were several security alerts for which they contacted Microsoft.
10-Day Investigations From Microsoft
Microsoft initiated an investigation for the next 10 days and confirmed that the threat actor Storm-0558 had gotten their hands on certain emails through their Outlook Web Access (OWA).
Further, Microsoft also identified 21 different organizations and 500+ users that were impacted by the attack. The impact was further noted by the U.S. government agencies.
In addition to this, Microsoft also found that the threat actor used the OWA for accessing emails directly using tokens which authenticated Storm-0558 as a valid user.
This also specified that these kinds of tokens must be associated with Microsoft’s identity systems only, but unfortunately, they were not.
Furthermore, the tokens used by the threat actor had digital signatures with a Microsoft Services Account (MSA) cryptographic key that dated back to 2016.
This key was originally intended to be retired by March 2021, providing more insights on the attack.
The Revealing Point
Microsoft initially concluded that the threat actor had forged tokens for accessing these Microsoft Exchange online accounts from affected individuals.
However, after developing some hypotheses they found a flaw in the token validation login used by Microsoft Exchange which could allow any consumer key to access enterprise Exchange accounts if the accounts did not have a code to reject consumer key.
However, it was still not evident enough to prove that the threat actor had obtained and used the 2016 MSA key to compromise the accounts.
By that time, Microsoft recalled an attack performed by the same threat actor in 2021 in which they accessed several documents that were stored in SharePoint as they were looking for information on Azure service management and Identity-related management.
The final stages of investigations revealed some major things: Microsoft had been using manual key rotation mechanisms on enterprise systems and had completely stopped the rotation mechanism after they faced a major outage on one of these activities in 2021.
This allowed the threat actor to use these consumer keys to forge authentication tokens to access consumer email systems.
However, another previously unknown flaw was combined with this issue, potentially compromising sensitive email accounts and organizations.