State-sponsored hackers infiltrate Outlook accounts, prompting Microsoft to bolster the security of their key issuance systems.
Microsoft has taken significant steps to secure its systems and protect users from a sophisticated hacking group known as Storm-0558. On June 29, the tech giant completed the replacement of a key that was being used by the hackers to forge tokens, a move that aims to prevent future attacks on Microsoft accounts.
The hacking group, believed to be China-linked, has been using various tactics in its campaigns, including email theft, credential harvesting, phishing, and OAuth token attacks. In past campaigns, Storm-0558 has led to the deployment of web shells, such as China Chopper, on compromised servers. The group has also been linked to the deployment of a malware family known as Cigril.
Microsoft's actions come after the hackers acquired an inactive Microsoft account consumer signing key, which they used to forge tokens and steal emails from the U.S. State Department. In response, Microsoft has hardened key issuance systems and revoked all prior keys.
The upgrades disrupted the mechanism the hackers possibly used to acquire MSA keys, but the hacker has since been observed trying to use different techniques. The agencies are urging organisations to enable audit logging and harden cloud environments to protect against such threats.
On June 26, Microsoft stopped the renewal of tokens issued by GetAccessTokensForResource for Outlook Web Access. The company blocked the use of tokens signed with the acquired MSA key in OWA on June 27, preventing additional enterprise mail activity by malicious actors.
On Friday, Microsoft released additional analysis on the attack and the FBI and Cybersecurity and Infrastructure Security Agency released updated guidance on the threat activity. The person responsible behind the China-based hacker group Storm-0558 is linked to the Chinese government or state-sponsored actors, but specific individual identities have not been publicly disclosed.
Storm-0558 has targeted diplomatic, economic, legislative bodies, media companies, think tanks, and telecom equipment and service providers. The group has been observed accessing data from about two dozen other organisations.
Microsoft blocked the usage of the key for all impacted consumer customers on July 3, marking a significant step in securing its systems and protecting users from this sophisticated threat actor.
