China Breaches Microsoft by Stealing an MSA Key

Written By Tanner Wilburn

Last Updated: July 21, 2023

Image Source: PC Mag

Summary

On July 11, Microsoft announced that Chinese hacking group Storm-0558 gained access to the email systems of several US government agencies from May 15th to June 16th. This breach potentially jeopardizes hundreds of thousands of emails, including those of the US ambassador to China and other senior officials.


According to both Microsoft and the US State Department, the hackers acquired a private signing key which they used to generate access tokens for the accounts. But an investigation by cloud security firm Wiz suggests this compromised key could have also been used to generate access tokens for a broad range of Microsoft services, including SharePoint, Teams, OneDrive, and third-party applications created by customers.

Here's What Happened:

  1. May 15, 2023, Storm-0558 accessed Outlook accounts by acquiring a private encryption key (MSA key) and using it to forge access tokens for Outlook Web Access (OWA) and Outlook.com These accounts belonged to roughly 25 organizations (reportedly including the U.S. State and Commerce Departments) and some consumer accounts likely connected to them.

  2. A Federal Civilian Executive Branch (FCEB) agency detected suspicious activity in their Microsoft 365 cloud environment in early June 2023. An FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

  3. Microsoft started investigating on June 16 and determined that the threat actors had accessed and exfiltrated unclassified Exchange Online Outlook data. Microsoft identified this activity as part of a campaign targeting multiple organizations, who have all been notified.

  4. Microsoft blocked the tokens issued with the acquired key and replaced the key to prevent further misuse.

  5. CISA and the FBI issued an advisory urging organizations to enhance their logging and monitoring activities. This includes:

    -Enabling audit logging.

    -Ensuring that logs are searchable by operators.

    -Enabling Microsoft 365 Unified Audit Logging.

    -Understanding their organization's cloud baseline to identify abnormal versus normal traffic.

  6. Microsoft released these logging features to all customers, rather than just the higher tier customers.

Microsoft says that the attack is now contained and that the data that was taken was unclassified. The company began investigating unusual activity within a few weeks of the initial attack, and they were able to stop the culprits despite their repeated attempts to manipulate credentials for account access. Microsoft is committed to securing the digital world and has been steadily building solutions that are secure by design. The company vows to work closely with CISA and its customers to continue investing in built-in security and other protective measures.


Now That We’ve Covered What Happened, I’d Like to Focus on Step 6 From Above.


Microsoft has made a move in the aftermath of the breach, although they probably would have been castigated by angry security professionals had they not. In a great piece by Andy Greenberg over on Wired, Andy points out that this attack only could be discovered by those paying extra for additional logging capabilities.  In response to this realization, Microsoft has extended its premium logging capabilities, formerly exclusive to Microsoft Purview Audit (Premium) customers, to all users. This decision means that every Microsoft cloud user now has access to a deeper visibility into security data, including detailed logs of email access and over 30 other types of log data. The default retention period for logs has also been increased, providing users with more time to analyze potential security threats.

 

Image Source: U.S. Cybersecurity Magazine

This move by Microsoft is in line with their security by design philosophy, even though the initial design was not. Security by Design just means that security must be integrated into systems from the ground up, rather than being added as an afterthought or an optional feature. Security should be intrinsic to the system, inherently protecting the data and functionality, and not merely an added layer that can be purchased. CISA released a statement along the lines of this, that seemed to me to have a hint of irony when referring to the decision to upgrade logging as “Microsoft’s decision”:   These actions are part of a coordinated effort with commercial and government customers and the Cybersecurity and Infrastructure Security Agency (CISA) to improve the type of security log data Microsoft provides to its customers. "After working collaboratively for over a year, I am extremely pleased with Microsoft’s decision to make necessary log types available to the broader cybersecurity community at no additional cost,” said CISA Director Jen Easterly.


So good on Microsoft for making the change . . . after they looked up to see CISA and all their government clients wielding the sword of Damocles. . .

Tanner Wilburn
Next

The MOVEit Breaches