Microsoft confronted government group Storm-0558 from China

Microsoft announced about successfully repelling a cyberattack organized by Chinese government hackers against 25 organizations, including government agencies, as part of a cyberspy campaign to obtain sensitive data.

The attacks began on May 15, 2023 and involved gaining access to email accounts, affecting 25 organizations and a small number of individual user accounts.

Microsoft links the attacks to Storm-0558, describing it as APT– a group based in China and sponsored by the Chinese government. According to experts, the group mainly targets federal agencies in Western Europe for the purpose of spying, stealing data and obtaining credentials. Storm-0558 hackers are known to use specially crafted malware that Microsoft tracks under the names Cigril and Bling to obtain credentials.

The violation was discovered a month later, on June 16, 2023, after one of the customers reported suspicious activity in Microsoft email accounts. The Company has notified all affected organizations and agencies through their administrators. At the same time, the names of the affected organizations and agencies, as well as the number of hacked accounts, were not disclosed.

Client accounts were accessed through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authorization tokens (OAuth token).

The attacker used a purchased MSA (Managed Service Accounts) key to forge tokens and gain access to OWA and Outlook.com. MSA keys (consumer) and Azure AD keys (enterprises) are issued and managed from different systems and should only be valid for the respective systems.

The attacker exploited a token validation vulnerability to spoof Azure AD users and gain access to the target organization’s mail.

At this time, there is no evidence that Azure AD keys or other MSA keys are being used to carry out attacks. However, Microsoft has blocked the use of tokens signed with the purchased MSA key in OWA to mitigate the threat.

Recall that the Biden administration plans to restrict Chinese companies’ access to US cloud computing services . The proposed restriction is seen as a way to close a significant loophole. National security analysts warn that Chinese AI companies may have circumvented current export control regulations by using cloud services.

In addition, today Microsoft announced unpatched zero-day vulnerability in multiple products Windows and Office, which was used in the wild for Remote Code Execution (RCE) using malicious Office documents.