Kevin BeaumontJul 12, 2023
Microsoft quietly snuck out a blog yesterday to say that Office 365 got compromised by China and used to steal emails. Thread follows. https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email | MSRC Blog | Microsoft Security Response Center

Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

Show threadKevin BeaumontJul 12, 2023

They used Outlook Web App - runs the Exchange Server codebase btw - to craft tokens to bypass auth.

There's some clever wording in blog around only impacting OWA. OWA is a part of Microsoft 365 and Exchange Online.

The problem was discovered by the US Government and reported to Microsoft. https://edition.cnn.com/2023/07/12/politics/china-based-hackers-us-government-email-intl-hnk/index.html

Show threadKevin BeaumontJul 12, 2023
Microsoft have not linked the blog on @msftsecintel or @msftsecresponse Twitter accounts or social media, instead linking pieces yesterday about an unrelated phishing campaign.
Show threadKevin Beaumont

This one looks like a huge mistake, a consumer MSA key (managed end to end by Microsoft - there's no external logs) was able to forge any Azure AD key.

It's only become public it appears as the US Government told Microsoft, which forces public disclosure.

Jul 12, 2023 at 11:56amWeb
Show threadKevin BeaumontJul 12, 2023
Although MS haven't called this a vulnerability, haven't issued a CVE or used the term zero day.. they don't issue CVEs for cloud services, forging a token is a vulnerability, so it's a zero day.
Show threadKevin BeaumontJul 12, 2023

CISA's advisory on the Microsoft 365 compromise is wayyyyyyyyyyy better than the Microsoft advisory - contains actionable hunting and logging information. Kinda nuts that the US Government are providing better information about Microsoft than Microsoft.

https://www.cisa.gov/sites/default/files/2023-07/aa23-193a_joint_csa_enhanced_monitoring_to_detect_apt_activity_targeting_outlook_online.pdf

Show threadKevin BeaumontJul 12, 2023
Another element - to spot this activity, the US government used enhanced logging aka Purview Audit (Premium) logging - the US government had a huge public fight with Microsoft over this a few years ago over cost, to get access. Turns out they needed it indeed.
Show threadKevin BeaumontJul 12, 2023
Does anybody have the AppID used in the Microsoft 365 compromise? -> [email protected]
Show threadKevin BeaumontJul 12, 2023
WSJ reporting the Microsoft 365 hack was used to spy on the State Department. https://www.wsj.com/articles/chinese-hackers-spied-on-state-department-13a09f03
Chinese Hackers Breached Email of Commerce Secretary Gina Raimondo and State Department Officials

Hackers didn’t appear to gain access to national security information

WSJ
Show threadKevin BeaumontJul 12, 2023
For anybody interested - the “acquired Microsoft account (MSA) consumer signing key” used in this must have come from inside Microsoft’s internal network.
Show threadKevin BeaumontJul 12, 2023
The teams who worked on the Microsoft 365 breach of customer data are having a snow day still, I see.
Show threadKevin BeaumontJul 12, 2023

Okay - I found a victim org.

The situation for them is 😬

MS are going to have to release more info, methinks.. or I crank out the blog writing.

Show threadKevin BeaumontJul 12, 2023

Really good Washington Post piece on the breach of Microsoft 365’s email service.

- hackers accessed customer emails for a month
- Microsoft didn’t notice
- USG had to tell them
- The access to generate tokens very likely came from MS being hacked and not realising

https://archive.is/2023.07.12-230927/https://www.washingtonpost.com/national-security/2023/07/12/microsoft-hack-china/

Show threadKevin BeaumontJul 13, 2023
None of these would have helped, since the breach was at Microsoft’s end.
Show threadKevin BeaumontJul 13, 2023

Talked to another impacted victim org in the Microsoft 365 hack, they basically got no actionable info from MS. Basically ‘lol you got hacked’ with wordsmithing and padding. 👀😬

I think I’m going to post hunting queries for this with an MS Paint logo.

Show threadKevin BeaumontJul 13, 2023

🎶 regulation 🎶

I agree with CISA here (and have publicly for years) - security access logs for customers own services shouldn't be locked behind E5 per user licensing.

Yes, it will cost Microsoft money in upsell. They're more profitable than a large portion of the UK economy; they can afford it.

I should also point out the reason Microsoft was able to tell orgs specifically that they'd be targeted even when they didn't have E5 is MS already store the logs anyway.

https://archive.ph/MFnxP

Show threadKevin BeaumontJul 14, 2023
On how the USG, European govs and Microsoft have been threat hunting the MS 365 breach, per Microsoft documentation on the logs... "If a mailbox is throttled, you can probably assume there was MailItemsAccessed activity that wasn't recorded in the audit logs."
Show threadKevin BeaumontJul 14, 2023
Really good new MS blog on the MS compromise - contains IOCs etc. I'll put MSPaint.exe down. https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog

Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. 

Microsoft Security Blog
Show threadKevin BeaumontJul 14, 2023

“We don’t have any evidence that the actor exploited a 0day." say Microsoft. Their first blog on this says “exploit” - so are MS saying they don’t patch vulnerabilities in their cloud? 🤔

Their latest blog also says “This was made possible by a validation error in Microsoft code” - which is a vulnerability. Which is a 0day as it was under exploitation before Microsoft knew of it existing.

Microsoft lying to media and customers is not a good look.

https://arstechnica.com/security/2023/07/microsoft-takes-pains-to-obscure-role-in-0-days-that-caused-email-breach/

Microsoft takes pains to obscure role in 0-days that caused email breach

Critics also decry Microsoft's "pay-to-play" monitoring that detected intrusions.

Ars Technica
Show threadKevin BeaumontJul 15, 2023
Show threadKevin BeaumontJul 19, 2023

All it took was Exchange Online in GCC and GCC High getting breached

Non-E5 users to get some security log availability finally.

https://www.wsj.com/articles/microsoft-to-offer-some-cybersecurity-tools-free-after-suspected-china-hack-6db94221

WSJ News Exclusive | Microsoft to Offer Some Cybersecurity Tools Free After Suspected China Hack

Company says it will make security logs available to customers with lower-cost cloud services

WSJ
Show threadJimJul 19, 2023
@GossiTheDog This sounded very serious indeed.
Show threadPär BjörklundJul 15, 2023
@GossiTheDog with all the layoffs and worsening economy Microsoft probably couldn't afford E5
Show threadJimJul 14, 2023
@GossiTheDog They should be generating new private keys every 24 hours. And have the previous keys be valid for 72-96 hours.
Show threadNils Goroll 🕊️Jul 17, 2023
@toyotabedzrock @GossiTheDog on that matter: https://fosstodon.org/@slink/110729194847294335
Nils Goroll (@[email protected])

In the context of the latest #microsoft #breach https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/ : We run a daily job checking azure jwks from https://login.microsoftonline.com/<AUD>/discovery/v2.0/keys into git. Here's the history of key ids added and removed since 2022-12-05 (- removed, + added): 2023-06-01: -"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-02: +"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-03: -"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-22: -"l3sQ-50cCH4xBVZLHTGwnSR7680" 2023-07-13: -"Mr5-AUibfBii7Nd1jBebaxboXW0" more in 🧵#infosec

Fosstodon
Show threadJimJul 17, 2023
@slink @GossiTheDog Hmm so they aren't actually rotating just removing abused ones as if they attacker didn't grab them all.
Show threadSam VargheseJul 14, 2023
@GossiTheDog They have been doing it since 1975. What's new? Only the language used and Gates' whiny voice isn't there anymore.
Show threadFritz AdalisJul 15, 2023
@GossiTheDog
Maybe E5 was too expensive and they just don't have logs.
Show threadDan GoodinJul 14, 2023
@GossiTheDog What does this tell us that we didn't already know? Is it just the IoCs, or are there other new and helpful details?
Show threadKevin BeaumontJul 14, 2023
@dangoodin from a reporting point of view I don't think anything new, but good from customer point of view as it gives new things to look at
Show threadWill SmartJul 14, 2023

@GossiTheDog @dangoodin did we know this little tidbit before?

"Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."

Show threadDan GoodinJul 14, 2023
@GossiTheDog I have been on the sidelines when it comes to this event, but my impression has been that Microsoft is dancing around the precise role of its own cloud service in this breach. It's a vulnerability in their own cloud service. that is the root cause, yes? If so, shouldn't Microsoft say that?
Show threadDan GoodinJul 14, 2023
@GossiTheDog As Will notes, they say the "issue" has been corrected, when, in fact, the thing that has been corrected is a zeroday. They also reference consumer accounts in the "public cloud," when they should say OWA accounts. Do you agree with my read of today's post?
Show threadKevin BeaumontJul 14, 2023

@dangoodin I don't think Microsoft ever acknowledges vulnerabilities in their cloud services (also there's no CVEs for cloud), and you don't say breach at Microsoft.

So if you Ctrl+F I doubt you will find vulnerability or breach in relation to Microsoft.

They did say "exploit" in the original MSRC blog in relation to Microsoft's cloud services, and you exploit a vulnerability. So I think it's fair to say that, yes, they had vuln(s).

Show threadDan GoodinJul 14, 2023
@GossiTheDog Yeah, but the earlier post says only that the threat actor "exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail." Microsoft never says whose "issue" it was.
Show threadAdvanced Persistent TeapotJul 14, 2023
@dangoodin @GossiTheDog surely Azure AD isn't letting anyone else perform token validation on their behalf?
Show threadKevin BeaumontJul 14, 2023
@dangoodin it is Microsoft’s issue. They are the only party that validate Azure AD tokens.
Show threadCirioJul 15, 2023
@dangoodin @GossiTheDog Honestly the IoCs are a substantial addition to this case. I'm pleasantly surprised, I thought they would never publish them.
Show threadBrian ClarkJul 14, 2023
@GossiTheDog uhhhhhhmmmmm…why would they do this?
Show threadfaebudoJul 14, 2023
@deepthoughts10 @GossiTheDog Maybe you can buy additional logs per entry as an add-on just like with Teams Chat scanning?
Show threadChester Wisniewski 🇨🇦Jul 13, 2023
@GossiTheDog Could we also not charge extra for BitLocker? All editions of Windows must include FDE
Show threadHcInfosecJul 13, 2023
@GossiTheDog I think this is a very important issue. #microsoft365 should include security logs in every license for free. Because otherwise they knowingly sell an insecurable system.
#gdpr basic rights for customers.
Show threadMikeJul 13, 2023

@GossiTheDog given how much Azure fraud is a result of credential stuffing, I’ve long argued that MSFT might very well save money by taking the account protection features currently gated by E3/E5/AAD P1/P2 and making them free for everyone.

Even if they didn’t save money on that, like you said: they could afford it.

Show threadCorey GilmoreJul 13, 2023
@GossiTheDog I *hate* using security features as an upsell opportunity instead of a baseline requirement. Years ago Auth0 quoted us more for 2FA for identity users - I pushed back hard (and made it clear that they would be named in any breach comms), and they capitulated.
Show threadJosh SorefApr 4, 2024
@cfg @GossiTheDog thank you for your service
Show threadOut of Control   🇨🇦Jul 13, 2023
@GossiTheDog Three orgs I manage MS365 for, we had no idea about this, never heard from MS. Does this mean our email is safe, or do we worry? Always air on the cautious side, but thought I’d ask… :)
Show threadBrittJul 14, 2023
@outofcontrol @GossiTheDog Check the azure Logins report, I have seen a huge increase in attempts from China
Show threadTim SchofieldJul 13, 2023

@GossiTheDog

Yes!

*taps fingers*

Show threadJeffreyJul 13, 2023
@GossiTheDog amazing contribution.
Show threadEdgar WhelpJul 13, 2023
@GossiTheDog Good grief. Sounds like ole Tom might be a proponent of the security-by-checklist approach so many big orgs live by.
Show threadMarkJul 13, 2023
@GossiTheDog
Wherein "robust security measures" means mark Microsoft as untrusted.
Show threadHolir_Jul 13, 2023
@zl2tod @GossiTheDog ZERO TRUST, BAAABEE!
Show threadDaniel SidlerJul 13, 2023
@GossiTheDog Perhaps some rigorous conditional access policies would have helped?
Show threadSimonoidJul 13, 2023
@GossiTheDog mfa makes me feel warm and fuzzy at least 🫠
Show threadPierreJul 13, 2023
@GossiTheDog it’s like adding a lock to a door while the robber is already inside looting
Show threadJon YoderJul 13, 2023
@GossiTheDog And people wonder why I hate Exchange so passionately.
Show threadPēteris KrišjānisJul 13, 2023
@GossiTheDog they are using fucking Office 365? 😶
Show threadLeo BistmansJul 13, 2023
@GossiTheDog what is an USG exactly in this case? Pretty vague 'Goverment'.
Show threadRixJul 13, 2023
United States Government
Show threadFredlArtsJul 12, 2023
@GossiTheDog 
Show threadtippenringJul 12, 2023
@GossiTheDog ah, so yes.
Show threadPontificator.OMFJul 12, 2023
@GossiTheDog Perhaps one for the cloud vulnerability database? https://www.cloudvulndb.org/results?q=
Azure AZNFS-mount Utility Root Privilege Escalation | cloudvulndb.org

Cloud vulnerabilities database - an open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

The Open Cloud Vulnerability and Security Issue Database
Show threadPavel Valach  Jul 12, 2023

@GossiTheDog the blog says
"Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens."

That surely does not say that they have blocked all the attempts before they blocked them...

Show threadJenkins instance 🐶🐾Jul 12, 2023
@GossiTheDog Just how weak are these keys?