Sunday, April 14, 2024

Microsoft’s Exchange Server Hack: Key Rotation Flaw Triggers Breach

Storm-0558, a cyberespionage group affiliated with the People’s Republic of China, has reportedly compromised Microsoft Exchange mailboxes of 22 organizations and over 500 individuals between May and June 2023.

This was done by using authentication tokens of accounts that were signed by a Key held by Microsoft in 2016. 

This key was used for secure authentication into remote systems. However, this key was possessed by the threat actor, which provided several permissions to access any information or systems within that key’s domain.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Additionally, a single key can have enormous power, which, combined with a flaw in Microsoft’s authentication system, resulted in the threat actor gaining full access to any Exchange online account anywhere in the world.

Moreover, Microsoft is still investigating how Storm-0558 got its hands on this key.

The accounts compromised using this attack included 

  • Senior United States government representatives working on national security matters
  • Email accounts of Commerce Secretary Gina Raimondo, 
  • United States Ambassador to the People’s Republic of China R. Nicholas Burns and
  • Congressman Don Bacon.

Microsoft’s Exchange Server Hack

According to the CSRB reports, during the time the threat actor had access to these sensitive email accounts, they downloaded over 60,000 emails from the State Department. 

Attack vector of Storm-0558 (Source: CISA)

Moreover, the first victim of this intrusion was the State Department, which was on June 15, 2023, when the SOC team detected anomalies in access to their mail systems.

Following this, the next day, there were several security alerts for which they contacted Microsoft.

10-Day Investigations From Microsoft

Microsoft initiated an investigation for the next 10 days and confirmed that the threat actor Storm-0558 had gotten their hands on certain emails through their Outlook Web Access (OWA).

Further, Microsoft also identified 21 different organizations and 500+ users that were impacted by the attack. The impact was further noted by the U.S. government agencies.

In addition to this, Microsoft also found that the threat actor used the OWA for accessing emails directly using tokens which authenticated Storm-0558 as a valid user.

This also specified that these kinds of tokens must be associated with Microsoft’s identity systems only, but unfortunately, they were not. 

Furthermore, the tokens used by the threat actor had digital signatures with a Microsoft Services Account (MSA) cryptographic key that dated back to 2016.

This key was originally intended to be retired by March 2021, providing more insights on the attack.

The Revealing Point

Microsoft initially concluded that the threat actor had forged tokens for accessing these Microsoft Exchange online accounts from affected individuals.

However, after developing some hypotheses they found a flaw in the token validation login used by Microsoft Exchange which could allow any consumer key to access enterprise Exchange accounts if the accounts did not have a code to reject consumer key.

However, it was still not evident enough to prove that the threat actor had obtained and used the 2016 MSA key to compromise the accounts.

By that time, Microsoft recalled an attack performed by the same threat actor in 2021 in which they accessed several documents that were stored in SharePoint as they were looking for information on Azure service management and Identity-related management.

The final stages of investigations revealed some major things: Microsoft had been using manual key rotation mechanisms on enterprise systems and had completely stopped the rotation mechanism after they faced a major outage on one of these activities in 2021. 

This allowed the threat actor to use these consumer keys to forge authentication tokens to access consumer email systems.

However, another previously unknown flaw was combined with this issue, potentially compromising sensitive email accounts and organizations.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles