Alert Advisory: Analysis of the Microsoft Storm-0558 SaaS Breach

Background:

About 25 organizations, including government organizations, were impacted by the attack, which prompted CISA’s advice. According to the advisory, a federal civilian executive branch agency discovered the suspicious behavior in June and was the first to report the activity to Microsoft. Even though an MSA key was obtained last week, neither CISA nor Microsoft disclosed how.

Microsoft stated in a Friday afternoon update that it is unsure how the stolen MSA key was obtained. However, Microsoft’s mitigations have neutralized Storm-0558’s tactic.

Storm-0558 Attack

The espionage-focused hacking group Storm-0558 is located in China. It is linked to a number of well-known incidents, most notably the email system hack at the State Department in 2022.

It is possible that Storm-0558 is interested in learning about military and economic capabilities as well as government policy specifics. They may use this knowledge to provide China an advantage during talks, military preparation, or economic rivalry. This group poses a concern since it has the capacity to obtain confidential data and misuse it. Additionally, they have demonstrated a willingness to target well-known organisations, which suggests that they might be a significant danger to national security.

A client alerted Microsoft to an unusual Exchange Online data access on June 16, 2023. Based on known earlier TTPs, Microsoft analysis assigned Storm-0558 as the cause of the activity. Researchers discovered that Storm-0558 was utilizing Outlook Web Access (OWA) to access the customer’s Exchange Online data. The first assumption made by Microsoft’s investigation process was that the attacker was obtaining legitimately issued Azure Active Directory (Azure AD) tokens, perhaps by employing malware on affected user devices. Later, Microsoft experts discovered that the actor’s access was made possible via Exchange Online authentication artefacts (also known as Azure AD tokens), which are normally obtained from Azure AD authentication tokens.

Analysts from Microsoft started looking into the potential that the actor was forging authentication tokens using a key they had acquired for Azure AD enterprise signing. A thorough investigation into the Exchange Online activity revealed that the actor was, in fact, forging Azure AD tokens using a Microsoft account (MSA) consumer signing key that was obtained. This was made possible by a Microsoft code validation error. Investigative teams were able to observe all actor access requests that fit this pattern across both business and consumer systems since the requests were signed with an incorrect key. Since no Microsoft system signs tokens in this manner, the use of the incorrect key to sign this set of claims was a clear indication of the actor’s operation.

Techniques used by Storm-0558

Token Forgery:

When an entity requests access to resources, in this example an email, authentication tokens are used to verify the identity of the entity. The relying party verifies the token supplied by the requesting entity using a public validation key, and the identity provider signs the token using a private signing key to establish its validity. Storm-0558 obtained an inactive MSA consumer signature key and exploited it to create forged Azure AD enterprise and MSA consumer authentication tokens for OWA and Outlook.com access.

Identity Techniques for Access:

The threat actor contacted the OWA API to get a token for Exchange Online through the GetAccessTokenForResource API provided by OWA after successfully authenticating through a valid client flow using the forged token. Due to a design error, the actor was able to get fresh access tokens by providing one that had already been given out by this API. The GetAccessTokenForResourceAPI has subsequently been updated to only accept tokens provided by Azure AD or MSA, accordingly, in order to address this problem. These tokens were used by the actor to get mail messages from the OWA API.

Tools used by Storm-0558

Storm-0558 makes REST API calls to the OWA Exchange Store service using a variety of PowerShell and Python scripts. Storm-0558, for instance, has the capacity to employ minted access tokens to retrieve email information like obtain emails, acquire attachments, Find and save conversations and details about the email folder. The generated web requests can be sent through one or more fixed SOCKS5 proxy servers or a Tor proxy.

The threat actor leverages the scripts’ extremely sensitive hardcoded information, such as bearer access tokens and email data, to make the OWA API requests. For usage in upcoming OWA commands, the threat actor has the option to refresh the access token.

Mitigation

To mitigate the token forging technique or validation issue in OWA or Outlook.com, no consumer action is necessary. Microsoft has taken the following steps to help users deal with this problem:

• June 26: OWA stopped renewing tokens obtained by GetAccessTokensForResource, reducing the risk of token renewal misuse.
• June 27: Microsoft disabled the use of tokens signed with the newly obtained MSA key halting future threat actor enterprise mail activities.
• June 29: Microsoft finished replacing the key to stop a threat actor from utilising it to create fake tokens. Microsoft cancelled all MSA signing licences that were in effect at the time of the occurrence, including the actor’s MSA key.
• July 3: Microsoft disabled the key on July 3 for all impacted consumer users to stop the use of previously issued tokens.

IOCs

d4b4cccda9228624656bff33d8110955779632aa
195.26.87[.]219
185.236.228[.]183
85.239.63[.]160
193.105.134[.]58
146.0.74[.]16
91.231.186[.]226
91.222.174[.]41
185.38.142[.]249
51.89.156[.]153
176.31.90[.]129
137.74.181[.]100
193.36.119[.]45
185.158.248[.]159
131.153.78[.]188
37.143.130[.]146
146.70.157[.]45
185.195.200[.]39
185.38.142[.]229
146.70.121[.]44
31.42.177[.]181
185.51.134[.]52
173.44.226[.]70
45.14.227[.]233
185.236.231[.]109
178.73.220[.]149
45.14.227[.]212
91.222.173[.]225
146.70.35[.]168
146.70.157[.]213
31.42.177[.]201
5.252.176[.]8
80.85.158[.]215
193.149.129[.]88
5.252.178[.]68
116.202.251[.]8