On Friday, Microsoft sought to explain the cause of a breach that allowed hackers working for the Chinese government to access the email accounts of 25 organizations, reportedly including the US Departments of State and Commerce and other sensitive organizations.
In a post on Friday, the company indicated that the attack resulted from three exploited vulnerabilities in either its Exchange Online email service or Azure Active Directory, an identity service that manages single sign-on and multi-factor authentication for large organizations. Microsoft’s Threat Intelligence team said Storm-0558, a China-based hacking group that conducts espionage on behalf of that country’s government, was exploiting them as of May 15. Microsoft drove out the attackers on June 16 after a customer tipped off the company’s investigators about the intrusion.
Above all: avoid the Z-word
In standard language among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services. A “zero-day” is a vulnerability known to or exploited by outsiders before the vendor has a patch for it. “Exploit” means using code or other means to activate a vulnerability in a way that causes harm to the vendor or others.
While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and two others Microsoft published Tuesday bend over backwards to avoid the words “vulnerability” or “zero-day.” Instead, the company uses significantly more amorphous terms like “problem,” “wrong,” and “wrong” when trying to explain how national hackers tracked the email accounts of some of the company’s largest clients.
“In-depth analysis of Exchange Online activity revealed that the actor was in fact counterfeiting Azure AD tokens using an acquired Microsoft Account (MSA) consumer signing key,” Microsoft researchers wrote Friday. “This was made possible by a validation error in Microsoft code.”
Later in the post, the researchers said that Storm-0558 obtained an inactive signing key used for consumer cloud accounts and somehow managed to use it to counterfeit tokens for Azure AD, a supposedly fortified cloud service that is, in fact, the stores keys that thousands of the organizations use to manage account logins on both their internal and cloud-based networks.
“The manner in which the actor obtained the key is a matter of ongoing investigation,” the post read. “While the key was only intended for MSA accounts, a validation issue caused this key to be trusted for Azure AD token signing.”
Two paragraphs later, Microsoft said Storm-0558 used the counterfeit token to access Exchange email accounts through an Outlook Web Access (OWA) programming interface. The researchers wrote:
Once authenticated through a legitimate client flow using the counterfeit token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. Due to a design flaw, the actor was able to obtain new access tokens by presenting one previously issued by this API. This bug in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued by Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.
A simple English summary of the event appears to be: Microsoft has patched three vulnerabilities in its cloud service that were discovered after Storm-0558 exploited them to gain access to customer accounts. It would also be helpful if Microsoft provided a tracking designation under the Common Vulnerabilities and Exposures (CVE) system, as other cloud companies do. So why isn’t Microsoft doing the same?
“I don’t think Microsoft ever acknowledges vulnerabilities in their cloud services (there are no CVEs for cloud either), and you’re not saying Microsoft was breached,” independent researcher Kevin Beaumont said at Mastodon. “In the original MSRC blog, they said ‘exploit’ in relation to Microsoft’s cloud services, and you’re exploiting a vulnerability. So I think it’s fair to say they did indeed have vuln(s).”
Microsoft issued the following comment: “We don’t have any evidence that the actor exploited a 0day.” Microsoft did not elaborate further. In one of two posts published Tuesday, Microsoft said, “The actor exploited a token validation issue to impersonate Azure AD users and access corporate email.” Ars has asked for clarification on what exactly has been exploited by the threat actor.
Pay-to-play security
Not only is Microsoft opaque about the cause of the breach and its own role in it, but it’s also under fire for withholding details that some victims could have used to detect the breach, something critics call “pay-to-play security”. ‘ have mentioned. According to the US Cybersecurity and Information Security Agency, a federal agency breached by Storm-0558, it discovered the intrusion through audit logs that track logins and other key events impacting customers’ Microsoft cloud events.
However, Microsoft requires customers to pay an additional fee to access these records. The cost for an “E5” business license that enables such access is $57 per month per user, compared to an E3 license cost of $36 per month per customer.
“The fact that Microsoft only allows those who pay the extra money for E5 licenses to see the relevant logs is, well, something…,” said Will Dorman, senior principal analyst at Analygence, in an interview. “If you are not an E5 paying customer, you lose the ability to see that you have been compromised.”
While Microsoft’s revelations are less clear about the role the vulnerabilities played in breaching organizations’ accounts, Friday’s disclosure provides useful indicators that people can use to determine if they’ve been targeted or compromised by Storm- 0558.