Chinese Cyberespionage Group Compromises U.S. and European Gov Emails, Threat Mitigated
China’s Storm-0558 compromised 25 email accounts belonging to government officials by forging authentication tokens.
- Microsoft disclosed that Chinese threat actors hacked the emails of over two dozen government officials and related consumer accounts across the U.S. and Western Europe.
- Chinese cyberespionage group Storm-0558 is behind the hack.
- Senior officials from the FBI and CISA confirmed that compromised systems were unclassified and that the number of impacted U.S. organizations was in the single digits.
This week, Microsoft disclosed that Chinese threat actors hacked the emails of over two dozen government officials and related consumer accounts across the U.S. and Western Europe. The threat group, tracked as Storm-0558 by Microsoft, exploited a recently discovered vulnerability in Exchange Online Outlook, Microsoft’s cloud email service.
Microsoft’s disclosure came almost a month after the Federal Civilian Executive Branch (FCEB) agency identified and reported suspicious activity on June 15, 2023, wherein the hackers accessed and exfiltrated unclassified Exchange Online Outlook data in their Microsoft 365 (M365) cloud environment to the company and Cybersecurity and Infrastructure Security Agency (CISA).
The Redmond-based IT giant said it mitigated the attack, wherein Storm-0558 compromised 25 email accounts by forging authentication tokens through Outlook Web Access in Exchange Online (OWA) and Outlook.com starting May 15, 2023.
“Email is also the source of a lot of potentially sensitive information shared within an organization. People tend to trust internal organizationally managed email systems to have conversations about sensitive topics, something that they would not do using a commercial email platform such as Gmail or Hotmail,” Erich Kron, security awareness advocate at KnowBe4, told Spiceworks.
“Controlling access to legitimate email accounts is one of the more dangerous tools bad actors can have in their toolbox. Not only do many of us use our email accounts to reset passwords, potentially to platforms these bad actors would like to access, but there are also conversations that have taken place that can be used to attempt to steal information or take action.”
“It’s not unusual to see a bad actor restart an email thread or take an active role in email discussions through the compromised account, using the trust built through previous interactions to victimize people.”
Storm-0558 is a cyberespionage syndicate that also engages in data from primarily Western European organizations. Microsoft didn’t mention the names of the organizations affected in the cyberattack. However, sources told The Washington Post that classified systems were safe from the attack and that it didn’t affect email accounts owned by the military, Pentagon, or other similar organizations.
Senior officials from the FBI and CISA confirmed to reporters that compromised systems were unclassified and that the number of impacted U.S. organizations was in the single digits.
Microsoft clarified that the incident involved forged keys and didn’t involve Microsoft account signing keys and Azure Active Directory keys.
See More: Chinese Govt Had Access to TikTok Data: Ex-ByteDance Exec
“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.” – Microsoft
Microsoft has mitigated the hack by blocking the use of tokens signed with the acquired MSA key in OWA and replacing the key to prevent the threat actor from using it to forge tokens.
“Generally speaking, it is a good idea to enable multi-factor authentication on email accounts to help protect against account takeover through stolen credentials or easily guessed passwords,” Kron added.
“In this case, because they use forged tokens, protections may be limited by MFA. It is very important that users report potential email oddities, such as receiving a notification of an email received, but having it missing from the inbox, as that may be a sign of a bad actor communicating with someone else, then trying to cover their tracks.”
Microsoft’s disclosure of Chinese cyberespionage came on the same day it disclosed a series of remote code execution vulnerabilities being tracked as CVE-2023-36884 and affecting Microsoft Office and Windows. The bugs are being exploited by the Russia-based Storm-0978 (RomCom) to target defense and government entities in Europe and North America.
“Unfortunately, there is no simple patch at the moment for CVE-2023-36844,” Ashley Leonard, founder & CEO at Syxsense, told Spiceworks. Microsoft is expected to roll out an out-of-band patch before August Patch Tuesday.
Until then, admins can deploy a countermeasure to remediate the vulnerability: “to block all Office applications from creating child processes and update registry keys to avoid exploitation. For those utilizing unified security and endpoint management solutions, you should be able to utilize a workflow countermeasure immediately to accomplish this.”
“However, it’s still important to note that updating registry settings could affect regular functionality for certain use cases related to these applications. And Microsoft also recommends turning on cloud-delivered protection in Microsoft Defender Antivirus, as Microsoft Defender can help protect organizations against this zero-day.”
How can organizations ensure email security for consumers? Share your thoughts with us on LinkedIn, Twitter, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERESPIONAGE
