On July 12, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA)(aa23-193a) detailing an attack on an Federal Civilian Executive Branch (FCEB) agency in June 2023. The attack had been observed due to observing anomalous activity within the Microsoft 365 (M365) audit logs. According to Microsoft’s investigation, Microsoft had attributed the activity to the Chinese based espionage group tracked as STORM-0558 due to the actor’s historic operating hours and comparing to a geographic location’s normal ‘working’ hours in parallel with historic techniques tracked for the group. Microsoft researchers had revealed that beginning in May 15,2023, STORM-0558 had gained access to email accounts to government agencies as well as related individual accounts. Microsoft had concluded the use of forged authentication tokens derived from an acquired Microsoft account (MSA) consumer signing key allowed the group to access OWA and Outlook[.]com. Microsoft has stated that MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. How the threat actor obtained the MSA key, has not yet been established. Storm-0558 has been historically observed using a collection of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service, yet no evidence has been found to support this was the way the STORM-0558 had acquired the key.
Wiz researchers had also evaluated the espionage campaign conducted by Storm-0558 and had assessed that the attack may have impacted additional applications. In addition to Outlook[.]com and Exchange Online being affected, the attackers may have also used the compromised MSA key to forge access tokens for other types of Azure AD applications. Additionally impacted applications supporting personal Microsoft accounts include SharePoint, Teams, OneDrive, and applications with the ‘login with Microsoft’ functionality. Azure AD applications that support a ‘mixed audience’ are also affected, such as multi-tenant accounts, Skype, and Xbox. The researchers noted that, despite the forged tokens no longer being accepted, an attacker could have previously leveraged the access to establish persistence. In addition, applications that rely on local certificate stores or cached keys may continue to trust the forged keys. Microsoft recommends users refresh the cache of local stores and certificates at least once a day. Microsoft has reportedly deemed Wiz’s findings speculative and not evidence-based.
RSM Defense Analyst Notes: RSM Defense Intelligence analyst recommends the use of 24×7 activity monitoring within the networks and installation of security tools that can alert and detect within networked environments. It is also recommended organizations leverage various alerting and detection security toolsets that are able to ingest the indicators of compromise (IOCs) that Microsoft had provided. Looking into the behavior analysis, provided by the Wiz researchers, may also be beneficial for organizations to hunt for a potential compromise within an organization’s network.