Posted on July 17, 2023 at 8:38 AM

Microsoft Bug Allows Chinese Hackers To Target High-Profile Individuals And Organizations

On Friday, Microsoft admitted to an exploit on the Azure Active Directory (Azure AD) tokens. The tech giant said that a validation error had allowed for Azure AD tokens to be forged by a threat actor known as Storm 0558 through a Microsoft account (MSA) consumer signing key to conduct a hacking campaign against two dozen organizations.

Microsoft bug compromised Azure AD services

Microsoft issued a statement after analyzing the hacking campaign saying that the threat actor group behind the campaign had acquired an inactive MSA consumer signing key that was later used to forge authentication tokens for the Azure AD enterprise.

“Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com,” Microsoft said.

The company also said that it was still investigating the method used by the hackers to acquire the key. It added that a validation issue had allowed the key to be trusted for signing the Azure AD tokens, but the issue had since been resolved.

It is yet to be determined whether the token validation issue was exploited as a zero-day bug or whether Microsoft was aware of the issue before it was exploited in the wild. The attacks in question also appear to have affected around 25 organizations, such as government entities and consumer accounts, to access emails and exfiltrate the mailbox data.

Microsoft bug exploited to target the US State Department

The company was notified of the malicious activity after several high-profile individuals at the US State Department were targeted. The State Department said that it had detected suspicious email activity linked to Exchange Online data access.

The threat actor group tracked by Microsoft as Storm-0558 is believed to be a Chinese state-sponsored hacker. The cyber activities of the group point towards espionage, but China has refuted claims of being behind the attacks.

The main targets of the hacking campaigns include diplomatic, economic, and legislative governing entities in Europe and the US. The targets also include individuals that are linked to Taiwan and Uyghur, who are conducting hacking campaigns with geopolitical interests. The other targets include think tanks, media firms, and telecommunication operators.

This threat actor group is believed to have been active since at least August 2021, and it has been conducting campaigns such as stealing user credentials, phishing attacks, and OAuth token attacks targeting Microsoft accounts. These attacks are focused on enabling the threat actor group to meet its espionage goals.

Microsoft has noted that this hacker group appears to operate under a high level of sophistication. The tech giant noted that the group had the technical know-how, ample resources, and an in-depth understanding of different authentication techniques and applications.

The hackers obtained initial access to compromise their targets using phishing campaigns and exploiting security flaws. It resulted in deploying the China Chopper web shell to obtain backdoor access and use the Cigril tool to steal user credentials.

The Storm-0558 hacker group also used the PowerShell and Python scripts to access email data like folder information, attachments, and conversations via the Outlook Web Access (OWA) API calls.

Microsoft has since said that the discovery of this hacking activity on June 16, 2023, has allowed the company to conduct investigations. The investigations conducted so far have resulted in the identification of the root cause of the hacks, supported durable tracking of the campaign, and disrupted malicious activity.

The company also said that it had reached out to every affected customer and it was working with several government agencies. Furthermore, it mitigated the issue on behalf of customers from June 26, 2023.

The extent of this hacking campaign is yet to be determined. However, it is not the first time that Chinese hackers have been linked to similar campaigns in the past. These hackers are known to conduct sophisticated intelligence campaigns while avoiding detection.

This report also coincides with the release of a detailed report on China’s cybersecurity capabilities by the UK Intelligence and Security Committee of Parliament. The committee said that China had much potential to conduct espionage campaigns, and it could also access various systems in the government and private sectors.

The campaign also comes at a time when Microsoft has faced much criticism over how it has handled the hacking campaign. The company usually charges additional fees for customers to access detailed audit logs. Some of the affected customers had not paid for this access.