Tech giant Microsoft recently encountered a validation error within its source code, triggering a security breach within Azure Active Directory (Azure AD). This vulnerability became a gateway for the alleged China-based threat group Storm-0558, allowing them to exploit an inactive Microsoft account (MSA) consumer signing key, leading to compromised security for a substantial number of organisations.
Storm-0558’s tactics involved leveraging the stolen key to forge authentication tokens for both Azure AD enterprise and MSA consumer accounts, resulting in unauthorised access to critical services like OWA and Outlook.
The Azure AD attack has targeted prominent entities, including government organisations, diplomatic bodies, media companies, and telecom providers.
Storm-0558 has been active in the threat landscape since at least August 2021. Microsoft’s investigation revealed sophisticated attack tactics of the group, including credential harvesting, phishing campaigns, and OAuth token attacks meticulously aimed at Microsoft accounts. The tech giant also described the group as technically adept and well-resourced, emphasising their high level of technical tradecraft and operational security.
The group’s arsenal includes deploying the China Chopper web shell, providing them with backdoor access, and a tool named Cigril, facilitating the stealthy theft of credentials.
Once inside the targeted networks, Storm-0558 uses PowerShell and Python scripts to extract sensitive email data, including attachments, folder information, and entire conversations, exploiting Outlook Web Access (OWA) API calls.
Amidst this disclosure, Microsoft faces criticism for handling the Azure AD hack and restricting forensic capabilities behind additional licensing barriers, hindering customers from accessing crucial audit logs that could have aided incident analysis.
Furthermore, the timing of Storm-0558’s actions coincides with the U.K.’s Intelligence and Security Committee of Parliament (ISC) publishing a detailed report on China, underscoring the country’s highly effective cyber espionage capabilities, capable of infiltrating foreign government and private sector IT systems with alarming ease.
This cyber espionage campaign must remind organisations and users of the ever-present threats posed by sophisticated actors and the ongoing need for robust defence strategies to safeguard sensitive information and protect against stealthy intelligence breaches.
