Tuesday, July 16, 2024

Microsoft’s Exchange Server Hack: Key Rotation Flaw Triggers Breach

Storm-0558, a cyberespionage group affiliated with the People’s Republic of China, has reportedly compromised Microsoft Exchange mailboxes of 22 organizations and over 500 individuals between May and June 2023.

This was done by using authentication tokens of accounts that were signed by a Key held by Microsoft in 2016. 

This key was used for secure authentication into remote systems. However, this key was possessed by the threat actor, which provided several permissions to access any information or systems within that key’s domain.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Additionally, a single key can have enormous power, which, combined with a flaw in Microsoft’s authentication system, resulted in the threat actor gaining full access to any Exchange online account anywhere in the world.

Moreover, Microsoft is still investigating how Storm-0558 got its hands on this key.

The accounts compromised using this attack included 

  • Senior United States government representatives working on national security matters
  • Email accounts of Commerce Secretary Gina Raimondo, 
  • United States Ambassador to the People’s Republic of China R. Nicholas Burns and
  • Congressman Don Bacon.

Microsoft’s Exchange Server Hack

According to the CSRB reports, during the time the threat actor had access to these sensitive email accounts, they downloaded over 60,000 emails from the State Department. 

Attack vector of Storm-0558 (Source: CISA)

Moreover, the first victim of this intrusion was the State Department, which was on June 15, 2023, when the SOC team detected anomalies in access to their mail systems.

Following this, the next day, there were several security alerts for which they contacted Microsoft.

10-Day Investigations From Microsoft

Microsoft initiated an investigation for the next 10 days and confirmed that the threat actor Storm-0558 had gotten their hands on certain emails through their Outlook Web Access (OWA).

Further, Microsoft also identified 21 different organizations and 500+ users that were impacted by the attack. The impact was further noted by the U.S. government agencies.

In addition to this, Microsoft also found that the threat actor used the OWA for accessing emails directly using tokens which authenticated Storm-0558 as a valid user.

This also specified that these kinds of tokens must be associated with Microsoft’s identity systems only, but unfortunately, they were not. 

Furthermore, the tokens used by the threat actor had digital signatures with a Microsoft Services Account (MSA) cryptographic key that dated back to 2016.

This key was originally intended to be retired by March 2021, providing more insights on the attack.

The Revealing Point

Microsoft initially concluded that the threat actor had forged tokens for accessing these Microsoft Exchange online accounts from affected individuals.

However, after developing some hypotheses they found a flaw in the token validation login used by Microsoft Exchange which could allow any consumer key to access enterprise Exchange accounts if the accounts did not have a code to reject consumer key.

However, it was still not evident enough to prove that the threat actor had obtained and used the 2016 MSA key to compromise the accounts.

By that time, Microsoft recalled an attack performed by the same threat actor in 2021 in which they accessed several documents that were stored in SharePoint as they were looking for information on Azure service management and Identity-related management.

The final stages of investigations revealed some major things: Microsoft had been using manual key rotation mechanisms on enterprise systems and had completely stopped the rotation mechanism after they faced a major outage on one of these activities in 2021. 

This allowed the threat actor to use these consumer keys to forge authentication tokens to access consumer email systems.

However, another previously unknown flaw was combined with this issue, potentially compromising sensitive email accounts and organizations.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles