Microsoft hit by Storm season – a tale of two semi-zero days – Naked Security

Last week, Microsoft released a report titled “Analysis of Storm-0558 techniques for unauthorized email access,” which shed light on a previously undisclosed hack. The breach affected approximately 25 organizations, including government agencies and consumer accounts in the public cloud. While the number of organizations targeted may seem small, the potential number of individuals affected could be significant, considering some government bodies employ thousands of people. The good news is that Microsoft’s threat hunters were able to track down the specific tricks and bypasses used in the attack, suggesting that the 25 organizations were the complete list of victims. If you haven’t received any communication from Microsoft about being part of this hack, it’s safe to assume you were not affected. Additionally, the vulnerabilities exploited in the attack were related to Microsoft’s back-end operations, meaning that they could be fixed without requiring users to install patches or updates. While technically these vulnerabilities can be considered zero-days, Microsoft has avoided using that term in its coverage. The attack highlighted the challenges of applied cryptography, security segmentation, and threat hunting. The initial signs of the attack showed that the attackers gained access to victims’ Exchange data through Outlook Web Access (OWA) using illicitly acquired authentication tokens. Authentication tokens are temporary web cookies that allow users to access online services without repeatedly entering their passwords. The attackers were able to obtain these tokens by implanting malware on victims’ computers, which allowed them to spy on and steal private browsing data. However, reputable online services now require traffic to be encrypted using HTTPS, making it difficult for attackers to sniff out authentication tokens. Microsoft’s threat hunters determined that the fraudulent email interactions were not caused by client-side issues, but rather compromised authentication token creation processes. This could have been done by hacking into the servers that generate the tokens or stealing data to generate fraudulent tokens. The attackers in the Storm-0558 attack were able to generate fake authentication tokens that passed Microsoft’s security checks but were signed as if they were for personal Outlook.com accounts instead of corporate accounts. This suggests that the attackers were only able to steal a consumer-level signing key, not a corporate-level one. Despite this setback, the attackers found a way to bypass security measures and use the stolen key. The report highlights the challenges faced by Microsoft in addressing the attack and emphasizes the importance of constant vigilance and proactive security measures.