Cybersecurity incidents are increasing at an alarming rate. In our 2023 Global Report on Ransomware Trends, conducted by an independent research firm, 85% of organizations surveyed experienced one or more cyberattacks in the prior 12 months. This represents a 12% increase over the previous year, and it highlights the danger your organization faces.
While hackers continually seek out vulnerabilities, the most common way to gain access to corporate systems is through phishing attacks. Phishing occurs when criminals send emails purporting to be from genuine organizations with urgent requests to verify confidential information. Variants include spear phishing, where malicious actors use personal information to encourage recipients to follow email instructions, and whaling, which involve fictitious requests from senior executives to subordinates requesting them to supply confidential information or make urgent payments.
Phishing is an effective technique with a high success rate. To counter this threat, it’s crucial you implement effective email security measures such as email encryption, multifactor authentication, spam filtering, employee training and robust backup solutions.
Storm-0558: A New Cyber Threat Landscape
In May and June 2023, a threat actor accessed emails from approximately 25 government agencies and related private email accounts of individuals associated with these agencies. The actor was identified by Microsoft as Storm-0588 and is believed to be a Chinese-based group. The group targets American and European government bodies, especially those with connections to Taiwan and the Uyghur ethnic minority groups in China.
Storm-0588 has a history of attempting to harvest emails for espionage purposes, sensitive data theft and intelligence collection. The group’s objectives appear to include gaining unauthorized access to the email accounts of employees working for organizations of interest to the group. The group appears to be well-resourced and possesses sophisticated capabilities. It’s believed this group is a nation-state actor.
In this instance, the group was able to forge authentication tokens to access user emails through a stolen Microsoft MSA signing key by exploiting a validation error in Microsoft’s code. The forged credentials gave Storm-0588 access to Microsoft MSAs and Azure Active Directory authentication tokens.
How Storm-0558 Orchestrated Their Attack
The Storm-0588 attack targeted customers using Microsoft 365 for email. The attack was first detected on June 16, 2023, when a federal civilian executive branch agency noted unusual activity in their Microsoft 365 Exchange Online cloud service. This was identified from the client’s Microsoft 365 audit logs and only because the client had purchased Microsoft’s advanced 365 E5 security package.
The client notified Microsoft, which quickly identified the root cause of the anomalous activity and swiftly implemented corrective actions. Microsoft determined that Storm-0588 had accessed the client’s Exchange Online service through Outlook Web Access. They discovered the actor used forged authentication tokens for MSA consumer and Azure AD enterprise accounts derived from a stolen inactive Microsoft MSA consumer signing key. These tokens are used by application programming interfaces to authorize access to users’ data. The hack was made possible by a validation error in Microsoft’s code that Storm-0588 discovered. To hide their location and mask their identity, the hackers used SoftEther proxy software.
Impact of the Storm-0558 Attack
Microsoft determined Storm-0588 had access to the emails of around 25 organizations and their users for approximately four weeks from May 15, 2023, until Microsoft blocked tokens signed with the stolen MSA key in OWA. As far as can be determined, the hackers were able to access targeted clients’ emails and download their contents and attachments. No other malicious activity was noted.
Storm-0588 is known to have been active since August 2021. The organization appears to target Microsoft accounts using phishing techniques and credential harvesting. The organization works to exploit security flaws such as the validation errors discovered in Microsoft’s 365 code. Tools used include the Cigril trojan tool that decrypts files and the China Chopper Web Shell that can remotely control compromised web servers.
Microsoft’s Response and Mitigation Efforts
When notified of the abnormal Exchange Online traffic, Microsoft immediately started its investigations. Based on the tactics used, Microsoft surmised the attack was perpetrated by the Storm-0588 group. Initially, it was thought that the group was using stolen Azure Active Directory tokens. Further investigation showed the authentication tokens were in fact forged from a Microsoft account, which leveraged a Microsoft validation error.
Remedial actions included invalidating all MSA keys that were active before the incident and correcting the validation code that allowed these keys to sign Azure Active Directory tokens. Other steps included moving all keys to a hardened key store and implementing improved monitoring systems. Microsoft directly contacted all customers who were compromised by this threat and provided information to prevent further exploitation of their systems by Storm-0588. These changes successfully blocked this Storm-0588 attack, and customers need not take any further action.
Lessons Learned and the Role of Veeam in Email Security
The biggest lesson from this attack was the importance of using the Microsoft audit log. Although these features are currently reserved for more expensive licenses, Microsoft has indicated they will provide wider access to cloud security logs for all licenses.
Additionally, some customers assume that Microsoft’s Geo redundancy features protect against data loss, but this is not true. It simply protects against infrastructure failure. Microsoft does not provide separate backup capabilities. This is made clear in the Microsoft 365 shared responsibility model, which clearly defines client responsibilities to include control of data residing in Microsoft 365 and its backups.
Implementing robust email security solutions can detect unusual activity as quickly as possible. For example, Veeam advanced email security solutions allow you to use threat scanning tools on backups to identify suspicious activity such as phishing. Additionally, you can use Veeam DataLabs to check recently captured backups for security vulnerabilities in a secure and isolated sandbox environment.
Summary
It was fortuitous that one of the customers targeted by Storm-0588 identified the anomalous activity and promptly alerted Microsoft and the Cybersecurity and Infrastructure Security Agency. During the four weeks, Storm-0588 was able to read and download emails from compromised customers, gaining valuable intelligence in the process. It is likely that had this unusual activity not been noticed, more organizations would have been affected. Microsoft acted swiftly to identify and mitigate the attack. The company also made significant changes to how token keys are issued and patched vulnerabilities that the attackers exploited.
One of the takeaways from this is the need to implement robust email security practices, both at the application level and during backups. No organization is immune to cyberattacks, and phishing attacks are common, as are ransomware attacks. The only effective solution is to implement secure backup practices, such as the well-known 3-2-1 backup approach, together with comprehensive scanning and monitoring practices to detect and eliminate malicious software.
Prevent data loss by securing your data with Veeam’s robust backup solutions. Don’t leave it to chance; take positive steps to secure your data today.