Initial access to target networks is realized through phishing and exploitation of security flaws in public-facing applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft.Īlso employed by Storm-0558 are PowerShell and Python scripts to extract email data such as attachments, folder information, and entire conversations using Outlook Web Access (OWA) API calls. "The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures." "Storm-0558 operates with a high degree of technical tradecraft and operational security," Microsoft said, describing it as technically adept, well-resourced, and having an acute understanding of various authentication techniques and applications.
It's said to have been active since at least August 2021, orchestrating credential harvesting, phishing campaigns, and OAuth token attacks aimed at Microsoft accounts to pursue its goals. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests, as well as media companies, think tanks, and telecommunications equipment and service providers. Primary targets of the hacking crew include U.S. Storm-0558 is suspected to be a China-based threat actor conducting malicious cyber activities that are consistent with espionage, although China has refuted the allegations. State Department detected anomalous email activity related to Exchange Online data access. The company was tipped off about the incident after the U.S. No other environment is said to have been impacted. The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data.
It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse. "Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. "The method by which the actor acquired the key is a matter of ongoing investigation." "Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and ," the tech giant said in a deeper analysis of the campaign.
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations.
0 kommentar(er)
