On Friday, Microsoft tried to explain why a breach that gave hackers working for the Chinese government access to the email accounts of 25 agencies—reportedly including the US Departments of State and Commerce and other critical agencies.
In a post on Fridaythe company revealed that the outage was caused by three vulnerabilities used in its Exchange Online email or. Azure Active Directory, an information service that manages single sign-on and multi-factor authentication for large organizations. Microsoft’s Threat Intelligence Group reported that Storm-0558, a Chinese-owned spying outfit on behalf of the country’s government, had been exploiting them since the May 15 intrusion.
Above all: Avoid the Z word
In common parlance among security experts, this means that Storm-0558 used zero days in Microsoft’s cloud service. “Zero-day” is a vulnerability that is known or exploited by outsiders before a vendor has a patch. “Exploitation” means using code or other methods to create a vulnerability in a way that harms the seller or others.
Although all of this is perfectly related to the intervention of Storm-0558, Friday’s post is two others Microsoft published on Tuesday, fold back to avoid the words “vulnerability” or “zero-day.” Instead, the company uses vague terms like “news,” “mistake” and “mistake” in an attempt to explain how the country’s hackers targeted the emails of some of the company’s biggest customers.
“In-depth analysis of the Exchange Online service discovered that the actor was generating Azure AD tokens using Microsoft’s customer signing key (MSA),” Microsoft researchers wrote Friday. “This was made possible by a validation error in Microsoft code.”
Later in the post, the researchers said that Storm-0558 obtained a signature key used for consumer cloud accounts and somehow managed to use it to generate tokens for Azure AD, a cloud service that claims to be highly secure and that, in fact, stores thousands of keys. . Organizations that use it to manage account logins on their internal networks are cloud-based.
“How the player got the secret is a subject for further investigation,” the post said. “Although the key was created only for MSA accounts, the authentication issue allowed this key to be trusted for signing Azure AD tokens.”
Two paragraphs later, Microsoft said Storm-0558 used a fake password to access Exchange email accounts through the Outlook Web Access (OWA) program. The researchers wrote:
Once authenticated through the client’s authentication process based on the token, the attacker accessed the OWA API to retrieve the Exchange Online token from the GetAccessTokenForResource API used by OWA. The player was able to get new tokens by displaying one that was already released from this API due to a design error. This error in the GetAccessTokenForResourceAPI is set to accept tokens issued from Azure AD or MSA respectively. The developer used these tokens to retrieve mail messages from the OWA API.
The plain English summary of this event looks like this: Microsoft has installed three vulnerabilities in its cloud that were discovered after Storm-0558 exploited them to gain access to customer accounts. It would also be useful if Microsoft would provide a tracking name under the CVE (Common Vulnerabilities and Exposures) system as other cloud companies do. Why doesn’t Microsoft do the same?
“I don’t think Microsoft admits vulnerabilities in their cloud services (and there are no cloud CVEs), and you don’t report a Microsoft breach,” independent researcher Kevin Beaumont said. said on Mastodon. “They said ‘exploit’ in the original MSRC blog in relation to Microsoft’s cloud services, and you exploit a vulnerability. So I think it’s fair to say that, yes, they had vulnerabilities.”
Microsoft issued this statement: “We do not have any evidence that an actor has hacked 0day.” Microsoft did not elaborate. In one of the two documents published on Tuesday, Microsoft said: “The actor used a token authentication issue to impersonate Azure AD users and gain access to business emails.” Ars asked for details on what was used by the attacker.
Besides being vague about what caused the breach and its role in it, Microsoft is under fire for hiding information that some of those affected could have used to detect the intrusion, which critics say is “pay-to-play security.” According to The US Cybersecurity and Information Security Agency, one of the federal agencies that was breached by Storm-0558, discovered the intrusion through audit logs that track logins and other important activities that affect Microsoft’s cloud customers.
Microsoft, however, requires customers to do so pay extra to access these documents. The cost of an “E5” license that allows such access is $57 per month per user, compared to the cost of an E3 license of $36 per month per customer.
“The fact that Microsoft allows only those who pay an additional fee to provide E5 permission to view log-related files, well, something…” Will Dorman, a senior analyst at Analygence, said in an interview. “If you are not a paying customer of E5, you lose the opportunity to see that you have been compromised.”
Although Microsoft’s disclosure was less than forthcoming about its damage in breaching corporate accounts, Friday’s disclosure provides useful indicators that people can use to determine whether they are being manipulated or compromised by Storm-0558.