Security News > 2024 > April > A “cascade” of errors let Chinese hackers into US government inboxes
Microsoft still doesn't known how Storm-0558 attackers managed to steal the Microsoft Services Account cryptographic key they used to forge authentication tokens needed to access email accounts belonging to US government officials.
"The stolen 2016 MSA key in combination with [a] flaw in the token validation system permitted the threat actor to gain full access to essentially any Exchange Online account," CISA's Cyber Safety Review Board noted in a recently released Review of the Summer 2023 Microsoft Exchange Online Intrusion.
"Microsoft does not know when Storm-0558 discovered that consumer signing keys could forge tokens that worked on both OWA consumer and enterprise Exchange Online. Microsoft speculates that the threat actor could have discovered this capability through trial and error."
In May and June 2023, Storm-0558 - a hacking group associated with the Chinese government - compromised Microsoft's cloud environment and accessed cloud-based mailboxes of US State Department officials, Commerce Department's officials, as well as users at other government and private sector organizations in the US, the UK, and elsewhere.
"The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft's security culture was inadequate and requires an overhaul," the CSRB stated, and advised Microsoft to make its CEO and Board of Directors focus on the company's security culture and security-focused reforms across the company and products.
"The Board recommends that Microsoft's CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources."
News URL
https://www.helpnetsecurity.com/2024/04/03/microsoft-storm-0558-key/
Related news
- US says Chinese hackers breached multiple telecom providers (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- US indicts Snowflake hackers who extorted $2.5 million from 3 victims (source)
- Hacker gets 10 years in prison for extorting US healthcare provider (source)