Scroll Top

Microsoft vulnerability enables sophisticated cyber attack targeting governments and organizations


In a shocking development, Microsoft revealed that a validation error in its source code enabled hackers to breach over two dozen organizations by forging Azure Active Directory (Azure AD) tokens. The breach, orchestrated by a threat actor known as Storm-0558, exploited a Microsoft account (MSA) consumer signing key, allowing unauthorized access to email accounts and the exfiltration of sensitive mailbox data.

The campaign, which primarily targeted government entities, diplomatic bodies, media companies, think tanks, and telecommunications providers, raised concerns about the sophistication and operational security of the malicious actor. Storm-0558 is believed to be a China-based threat actor engaging in cyber espionage, although China has denied these allegations.

Microsoft’s deeper analysis of the incident revealed that Storm-0558 acquired an inactive MSA consumer signing key and utilized it to forge authentication tokens, providing access to both Azure AD enterprise and MSA consumer accounts. While the method of obtaining the key is still under investigation, Microsoft has already corrected the validation issue to prevent similar attacks in the future.

It remains uncertain whether the vulnerability was a zero-day exploit or if Microsoft was already aware of the problem before it was exploited by Storm-0558. The breach came to light when the U.S. State Department identified unusual email activity related to Exchange Online data access, prompting Microsoft to investigate the incident.

The cyber attacks orchestrated by Storm-0558 began at least in August 2021 and involved various techniques such as credential harvesting, phishing campaigns, and OAuth token attacks primarily targeting Microsoft accounts. The threat actor demonstrated a deep understanding of authentication techniques and applications, indicating a high level of technical expertise.

Initial access to the targeted networks was achieved through phishing and exploiting security vulnerabilities in public-facing applications. Once inside the networks, Storm-0558 deployed the China Chopper web shell for backdoor access and utilized a tool named Cigril for credential theft.

To extract email data, the threat actor employed PowerShell and Python scripts, leveraging Outlook Web Access (OWA) API calls. This enabled them to retrieve attachments, folder information, and entire conversations from compromised accounts.

Microsoft has emphasized the need for organizations to remain vigilant against cyber threats, urging them to implement robust security measures and stay up-to-date with the latest patches and updates. The incident serves as a stark reminder of the persistent and evolving nature of cyber attacks, requiring constant efforts to defend against them.

As investigations into the breach continue, both affected organizations and the cybersecurity community at large are keenly watching for further developments, with the hope of preventing similar incidents in the future.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.