Remiss Microsoft – Rivals Had a Feast in Well-guarded Collaboration Space

The Storm-0558 has been rocking the press recently since these Chinese hackers exploited a flaw in Microsoft’s cloud email service to gain access to the email accounts of U.S. government employees.
Microsoft CEO
Courtesy: Microsoft
By | 10 min read

A few months ago, Microsoft disclosed that they switched to a new threat actor naming taxonomy aligned to the theme of weather.

The complexity, scope, and volume of threats are expanding, necessitating a rethinking of not only how Microsoft talks about threats, but also how consumers can comprehend those threats quickly and clearly.

For example, the name ‘Tempest’ will be assigned to signify financially oriented organizations. The name ‘Tsunami’ will be given to private sector offensive actors. Influence operations will be labeled with the word ‘Flood.’

If a threat comes from an unknown source or cannot be detected right away, Microsoft will use the term Storm, followed by a four-digit number, as a temporary title until the danger can be completely identified.

And after a new naming scheme, we’ve just seen the debut of a group of hackers that’s taken over that name and breached into the government email systems and they were able to snoop around undetected for almost a month.

Anonymous “Storm” Killing National Cybersecurity in Silence

According to claims from Microsoft and the White House late July 11th, 2023, China-based hackers breached email accounts at two-dozen businesses, including several US government institutions, in an apparent surveillance campaign aimed at gathering sensitive information.

The threat actor Microsoft relates to this incident is an adversary based in China that Microsoft named Storm-0558.

The full height of the break-in is being examined, but in recent weeks, US officials and Microsoft have been quietly trying to assess the impact of the hack, which targeted unclassified email networks, and mitigate its effects.

According to a person familiar with the situation, the State Department was the first government department to notice the Chinese hackers. According to the source, the State Department then reported the suspicious conduct to Microsoft.

The Commerce Department, which has sanctioned Chinese telecom corporations, was also violated. According to a source familiar with the inquiry, the hackers gained access to Commerce Secretary Gina Raimondo’s email account. The Washington Post was the first to report on the secretary’s account being accessed.

Multiple individuals familiar with the investigation told CNN that the Chinese hackers were spotted targeting a small number of government agencies and just a handful of officials’ email accounts at each agency in a hack aimed at specific officials.

“Microsoft notified the (Commerce) Department of a compromise to Microsoft’s Office 365 system, and the Department took immediate action to respond,” a department spokesperson said in a statement.

The spokesperson did not respond right away to a request for comment on the targeting of Raimondo’s email account.

Two sources familiar with the situation told CNN that the hackers targeted email accounts at the House of Representatives, but it was unclear who was targeted or whether the breach attempts were successful.

The attacks exacerbate one of the most difficult cybersecurity concerns confronting the Biden administration: preventing Beijing’s sophisticated hacking teams’ access to US government and corporate sensitive information.

DoD soldier
Courtesy: DoD

“Last month, US government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems,” National Security Council spokesperson Adam Hodge said in a statement to CNN.

“Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” Hodge said. “We continue to hold the procurement providers of the US Government to a high security threshold.”

The State Department “detected anomalous activity, took immediate steps to secure our systems, and will continue to closely monitor and quickly respond to any further activity,” a department official said on July 12.

The number of US entities affected by the hacking campaign, public or private, is in the “single digits,” according to a senior US Cybersecurity and Infrastructure Security Agency officer on July 12.

“This appears to have been a very targeted, surgical campaign,” the official said.

According to The Washington Post’s sources, the attack touched unclassified systems and did not appear to have compromised email accounts associated with the Pentagon, military, or intelligence community.

Still, some data was undoubtedly obtained from these numerous government and commercial sector email accounts. And we’ll likely find out in the months to come or years exactly how significant the stolen material was, because thirty days is a long time to be playing around in these extremely active Enterprise systems.

When the Behemoth Pulled Down to Earth – Microsoft Vulnerability Unveiled

The group utilized forged authentication tokens to gain access to impacted email accounts via Outlook Web Access in Exchange Online (OWA) and from May 15th, staying concealed for a month until Microsoft started the investigation on June 16th following “customer reported information.”

A customer reported Microsoft of unusual Exchange Online data access on June 16, 2023. Based on previous TTPs, Microsoft attributed the action to Storm-0558. They discovered that Storm-0558 was exploiting Outlook Web Access (OWA) to access the customer’s Exchange Online data.

Microsoft’s original investigation procedure assumed the attacker was obtaining correctly issued Azure Active Directory (Azure AD) tokens, most likely via malware on infected user machines. Microsoft experts then discovered that the actor gained access through the use of Exchange Online authentication artifacts, which are often derived from Azure AD authentication tokens (Azure AD tokens).

Further investigation over the next few days revealed that the internal Exchange Online authentication artifacts did not correspond to Azure AD tokens in Microsoft logs.

Analysts at Microsoft began looking into the possibility that the actor was forging authentication tokens using an acquired Azure AD enterprise signing key. An in-depth examination of the Exchange Online activity revealed that the actor was, in fact, forging Azure AD tokens with an acquired Microsoft account (MSA) consumer signing key.

A validation flaw in Microsoft code made this possible. Because the incorrect key was used to sign the requests, their investigative teams were able to observe all actor access requests that followed this pattern across both their business and consumer services. The use of the erroneous key to sign this set of claims was a clear evidence of actor activity, as no Microsoft system signs tokens in this manner.

The use of acquired signature material to fake authentication tokens in order to access customer Exchange Online data differs from previous Storm-0558 activities. Microsoft’s investigations have shown no additional instances of this pattern being used by other parties, and the company has taken actions to prevent future abuse.

Microsoft has contacted and implemented mitigations for all customers targeted during the security breach. The IT behemoth claimed it has strengthened its defenses by adding “substantial automated detections” to identify activity related with the attack and is now collaborating with the Department of Homeland Security’s cyber defense department to protect affected users.

The remaining organizations and government agencies damaged by the hackers have not been disclosed.

Storm-0558 has previously targeted US and European diplomatic, economic, and legislative governmental entities, as well as individuals connected to Taiwan and Uyghur geopolitical interests, according to Microsoft.

This threat actor has a history of targeting media businesses, think tanks, and telecoms equipment and service providers. Most Storm-0558 operations aim to gain unauthorized access to email accounts belonging to employees of targeted companies.

Even while Microsoft outlines in detail what the attacker was able to do with the hijacked accounts and what was done to protect them after the discovery, the company avoids writing about a 0-day vulnerability in the code for verifying the tokens at all costs in their reports.

Microsoft still has no idea — or would rather not disclose — how China-backed hackers obtained a key that allowed them to enter into hundreds of email inboxes, including those of multiple federal government institutions.

Cybersecurity Showdown – The Battle of the Bald Eagle and Outcast Threats

The US government has not formally blamed China for the attack, possibly because the Biden administration is attempting to keep talks with Beijing on track. However, US officials privately stated that they agreed with Microsoft’s attribution of the hack to China and that it bore the hallmarks of a sophisticated, government-backed effort.

Biden is signing a paper
Courtesy: White House

The attacks were described as surgical by American authorities, in contrast to the SolarWinds hack in 2019 and 2020, in which Russian intelligence exploited a vulnerability in software supply chains to obtain access to hundreds of computer networks.

Spy agencies often utilize intrusions in hostile networks judiciously in order to obtain as much information as possible while remaining undetected.

The United States and China are locked in a heated intelligence competition, with both governments attempting to extend their collection on the other. While such espionage and hacking are to be expected, US authorities said they are conducting a thorough investigation to close both the hole utilized by Chinese hackers against the State Department and other potential security flaws in cloud computing.

Foreign governments frequently target the State Department. Russian intelligence has repeatedly targeted the State Department’s computer networks. Russian hackers breached the State Department, the Joint Chiefs of Staff, and the White House, as well as other key but unclassified computer networks, between 2014 and 2015.

Since taking office, the Biden administration has taken steps to restrict the export of US technologies that it believes will enhance China’s accelerated military development, surveillance capabilities, and deployment of weapons of mass destruction. Such controls are overseen by the Commerce Department, which has also placed Chinese companies on export blacklists.

The administration is planning to tighten export controls and impose new limitations on Chinese investments in innovative technologies.

Considering the importance of these tools in the administration’s strategy to compete with China, Beijing sees Raimondo as a “particularly important target… to understand her personal views,” according to Emily Kilcrease, senior fellow at the Center for a New American Security and former Commerce Department economic security official in the Obama and Trump administrations.

The latest incident builds up the administration’s position as it pushes for cloud and software companies to be held more accountable for security flaws, which is a key component of its National Cybersecurity Strategy.

A Comprehensive Effort to Safeguard Our Digital Frontier

On July 17, 2023, the Biden administration and leading consumer technology businesses announced a nationwide cybersecurity certification and labeling scheme to assist consumers in selecting smart products that are less vulnerable to hacking.

Officials compared the new U.S. Cyber Trust Mark effort, which will be overseen by the Federal Communications Commission and would be voluntary for business participation, to the Energy Star program, which verifies the energy efficiency of equipment.

“It will allow Americans to confidently identify which internet- and Bluetooth-connected devices are cybersecure,” deputy national security adviser Anne Neuberger told reporters in a pre-announcement briefing.

Among the industry participants are Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung.

According to officials, devices such as baby monitors, home security cameras, fitness trackers, TVs, refrigerators, and smart climate control systems that meet the US government’s cybersecurity requirements will begin to display the “Cyber Trust” label, a shield insignia, as early as next year.

According to FCC Chair Jessica Rosenworcel, the mark will give consumers “peace of mind” and assist manufacturers whose devices must meet National Institute of Standards and Technology criteria to qualify.

The FCC was launching a rule-making process to establish standards and solicit public feedback. In addition to logos, participating devices would include a QR [quick response] code that could be scanned for updated security information.

Consumers should expect to see certification-ready items during the Consumer Technology Association’s annual January event, CES 2024, once the FCC passes final guidelines, according to a statement. According to a senior Biden administration official, products that qualify for the logo will be re-certified on an annual basis.

CISA held a conference
Courtesy: CISA

Justin Brookman, Consumer Reports’ director of technology policy, applauded the White House idea but noted that “a long road remains” to its effective implementation.

He said, “Our hope is that this label will ignite a healthy sense of competition in the marketplace, compelling manufacturers to safeguard both the security and privacy of consumers who use connected devices and to commit to supporting those devices for the lifetime of those products.”

Following a meeting between White House and tech industry executives in October 2022, the Cyber Trust program was initially unveiled.

The rise of so-called smart devices has coincided with an increase in cybercrime, where a single vulnerable item can frequently provide a cyberintruder with a deadly foothold on a home network.

Based on their monitoring of smart homes, cybersecurity firm Bitdefender and networking equipment manufacturer NetGear discovered in April that smart TVs were by far the most vulnerable gadgets in 2022, followed by smart plugs, routers, and digital video recorders.

Many smart home device manufacturers fail to update and patch software quickly enough to combat rapidly developing malware threats.

Officials expect the Cyber Mark standards to identify which devices patch vulnerable software in a timely manner and encrypt their communications to protect privacy. In addition, consumers will be informed about which gadgets are capable of detecting intrusions.

From this effort and the hack of 0558, that gives us a fascinating chance to compare centralized proprietary security model to the open-source self-hosted security model.

A Clash of Titans – Personal Cybersecurity vs. Centralized Proprietary Models

In the modern business landscape, it is increasingly uncommon to witness companies developing their email solutions from scratch. Instead, they tend to rely on established services such as Microsoft Exchange or Google for their company email and office suites.

Understandably, these large, well-established solutions are preferred due to their critical role in business operations. The potential risks associated with email systems make it challenging for organizations to handle such issues promptly or set up custom email solutions independently.

Furthermore, the advantage of relying on big-name providers like Microsoft and Google is the availability of support and the assumption of secure software. However, this reliance also means surrendering some control over security to these companies.

In the event of a breach, high-profile companies or government organizations may receive support from the providers, but they also become dependent on them to create secure software. Unfortunately, sometimes, these providers might not prioritize patching vulnerabilities quickly, leaving their customers vulnerable.

An illustrative example of the risks posed by proprietary solutions is the recent vulnerability discovered in Microsoft Teams. Jumpsec Labs revealed a flaw that allowed people to bypass restrictions on incoming files from external users.

CISA team is discussing on a issue
Courtesy: CISA

Although Microsoft acknowledged the issue, they deemed it did not require immediate attention since it also relied on social engineering tactics. However, this vulnerability could potentially be exploited for phishing attacks, making it a significant concern for one of the most popular collaboration tools available.

The exposure of such flaws raises concerns about the approach of proprietary software companies. Microsoft’s handling of the vulnerability indicates a level of complacency that can be alarming, especially considering the program’s popularity and widespread usage.

The availability of tools like the Teams Fisher Python script further exacerbates the risk, as even less skilled hackers can potentially exploit this security gap.

In contrast, open-source software offers an alternative that allows motivated companies with skilled developers to take control of their security. By forking the program and hardening it, they can actively address vulnerabilities and mitigate risks.

Although self-hosted email solutions demand more effort to maintain, they offer the advantage of customization and independence from single points of failure. With different software stacks across organizations, exploitation becomes a case-by-case challenge, potentially deterring many attackers who target widely adopted proprietary solutions.

While adopting a do-it-yourself (DIY) approach to email may not be suitable for all enterprises, it has been successful for some, especially in personal and small business use cases. The appeal lies in better data control and reduced reliance on large corporations like Microsoft. The trade-off is the need for more active involvement in managing the email infrastructure and security.

In addition to email security, there are concerns about data privacy on various online platforms. Tax preparation services, such as H&R Block, TaxAct, and TaxSlayer, have been observed using MetaPixel on their web pages, which collects visitor data, including HTTP headers and button clicks.

This level of tracking raises questions about data protection and how such companies handle user information, considering the potential for misuse or unauthorized data access.

Ultimately, the security of data relies on the choices made by individuals and organizations. While proprietary solutions from large corporations may provide convenience and support, they are not immune to vulnerabilities and delays in addressing them.

On the other hand, open-source and self-hosted alternatives offer more control and transparency, making them appealing to those who prioritize data privacy and security. The decision to choose between these approaches must consider the specific needs, resources, and risk tolerance of each organization.

The Bottom Lines

In today’s digital landscape, one crucial lesson stands clear: the security of your data ultimately rests in your hands. Opting for an open-source and self-hosted approach exemplifies this responsibility as you take charge of every aspect of your setup.

Even when placing trust in behemoth corporations like Microsoft, the reality is that vulnerabilities in their software may go unfixed, and bug reports may be ignored. Surprisingly, even major tax preparation companies like H&R Block might prioritize profit over safeguarding your data, potentially selling it for extra revenue.

To make matters worse, certain companies may employ questionable tactics like running suspicious JavaScript code on their websites, enabling them to automatically funnel your information to entities like Meta. Clearly, protecting your data is not always a top priority for these organizations, especially when compared to safeguarding their bottom line.

In light of these realities, it becomes evident that exploring open-source and self-hosted solutions empowers individuals to secure their data, ensuring a higher level of control and peace of mind in an increasingly interconnected digital world.

  • Being a Section Editor and Analyst at EnvZone, London works to create and ensure the quality, freshness and creditability for all articles. This brings more informative and reliable materials to…