Kevin BeaumontJul 12, 2023
Microsoft quietly snuck out a blog yesterday to say that Office 365 got compromised by China and used to steal emails. Thread follows. https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email | MSRC Blog | Microsoft Security Response Center

Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

Show threadKevin BeaumontJul 12, 2023

They used Outlook Web App - runs the Exchange Server codebase btw - to craft tokens to bypass auth.

There's some clever wording in blog around only impacting OWA. OWA is a part of Microsoft 365 and Exchange Online.

The problem was discovered by the US Government and reported to Microsoft. https://edition.cnn.com/2023/07/12/politics/china-based-hackers-us-government-email-intl-hnk/index.html

Show threadKevin BeaumontJul 12, 2023
Microsoft have not linked the blog on @msftsecintel or @msftsecresponse Twitter accounts or social media, instead linking pieces yesterday about an unrelated phishing campaign.
Show threadKevin BeaumontJul 12, 2023

This one looks like a huge mistake, a consumer MSA key (managed end to end by Microsoft - there's no external logs) was able to forge any Azure AD key.

It's only become public it appears as the US Government told Microsoft, which forces public disclosure.

Show threadKevin BeaumontJul 12, 2023
Although MS haven't called this a vulnerability, haven't issued a CVE or used the term zero day.. they don't issue CVEs for cloud services, forging a token is a vulnerability, so it's a zero day.
Show threadKevin BeaumontJul 12, 2023

CISA's advisory on the Microsoft 365 compromise is wayyyyyyyyyyy better than the Microsoft advisory - contains actionable hunting and logging information. Kinda nuts that the US Government are providing better information about Microsoft than Microsoft.

https://www.cisa.gov/sites/default/files/2023-07/aa23-193a_joint_csa_enhanced_monitoring_to_detect_apt_activity_targeting_outlook_online.pdf

Show threadKevin BeaumontJul 12, 2023
Another element - to spot this activity, the US government used enhanced logging aka Purview Audit (Premium) logging - the US government had a huge public fight with Microsoft over this a few years ago over cost, to get access. Turns out they needed it indeed.
Show threadKevin BeaumontJul 12, 2023
Does anybody have the AppID used in the Microsoft 365 compromise? -> [email protected]
Show threadKevin BeaumontJul 12, 2023
WSJ reporting the Microsoft 365 hack was used to spy on the State Department. https://www.wsj.com/articles/chinese-hackers-spied-on-state-department-13a09f03
Chinese Hackers Breached Email of Commerce Secretary Gina Raimondo and State Department Officials

Hackers didn’t appear to gain access to national security information

WSJ
Show threadKevin BeaumontJul 12, 2023
For anybody interested - the “acquired Microsoft account (MSA) consumer signing key” used in this must have come from inside Microsoft’s internal network.
Show threadKevin BeaumontJul 12, 2023
The teams who worked on the Microsoft 365 breach of customer data are having a snow day still, I see.
Show threadKevin BeaumontJul 12, 2023

Okay - I found a victim org.

The situation for them is 😬

MS are going to have to release more info, methinks.. or I crank out the blog writing.

Show threadKevin BeaumontJul 12, 2023

Really good Washington Post piece on the breach of Microsoft 365’s email service.

- hackers accessed customer emails for a month
- Microsoft didn’t notice
- USG had to tell them
- The access to generate tokens very likely came from MS being hacked and not realising

https://archive.is/2023.07.12-230927/https://www.washingtonpost.com/national-security/2023/07/12/microsoft-hack-china/

Show threadKevin BeaumontJul 13, 2023
None of these would have helped, since the breach was at Microsoft’s end.
Show threadKevin Beaumont

Talked to another impacted victim org in the Microsoft 365 hack, they basically got no actionable info from MS. Basically ‘lol you got hacked’ with wordsmithing and padding. 👀😬

I think I’m going to post hunting queries for this with an MS Paint logo.

Jul 13, 2023 at 3:52pmWeb
Show threadKevin BeaumontJul 13, 2023

🎶 regulation 🎶

I agree with CISA here (and have publicly for years) - security access logs for customers own services shouldn't be locked behind E5 per user licensing.

Yes, it will cost Microsoft money in upsell. They're more profitable than a large portion of the UK economy; they can afford it.

I should also point out the reason Microsoft was able to tell orgs specifically that they'd be targeted even when they didn't have E5 is MS already store the logs anyway.

https://archive.ph/MFnxP

Show threadKevin BeaumontJul 14, 2023
On how the USG, European govs and Microsoft have been threat hunting the MS 365 breach, per Microsoft documentation on the logs... "If a mailbox is throttled, you can probably assume there was MailItemsAccessed activity that wasn't recorded in the audit logs."
Show threadKevin BeaumontJul 14, 2023
Really good new MS blog on the MS compromise - contains IOCs etc. I'll put MSPaint.exe down. https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog

Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. 

Microsoft Security Blog
Show threadKevin BeaumontJul 14, 2023

“We don’t have any evidence that the actor exploited a 0day." say Microsoft. Their first blog on this says “exploit” - so are MS saying they don’t patch vulnerabilities in their cloud? 🤔

Their latest blog also says “This was made possible by a validation error in Microsoft code” - which is a vulnerability. Which is a 0day as it was under exploitation before Microsoft knew of it existing.

Microsoft lying to media and customers is not a good look.

https://arstechnica.com/security/2023/07/microsoft-takes-pains-to-obscure-role-in-0-days-that-caused-email-breach/

Microsoft takes pains to obscure role in 0-days that caused email breach

Critics also decry Microsoft's "pay-to-play" monitoring that detected intrusions.

Ars Technica
Show threadKevin BeaumontJul 15, 2023
Show threadKevin BeaumontJul 19, 2023

All it took was Exchange Online in GCC and GCC High getting breached

Non-E5 users to get some security log availability finally.

https://www.wsj.com/articles/microsoft-to-offer-some-cybersecurity-tools-free-after-suspected-china-hack-6db94221

WSJ News Exclusive | Microsoft to Offer Some Cybersecurity Tools Free After Suspected China Hack

Company says it will make security logs available to customers with lower-cost cloud services

WSJ
Show threadKevin BeaumontJul 21, 2023

More details about the Microsoft 365 Exchange Online breach in this article.

Although not stated, orgs are struggling to understand the scope of the breach due to audit log limits on MailItemsAccessed - it stops recording after 1k items. https://www.wsj.com/articles/u-s-ambassador-to-china-hacked-in-china-linked-spying-operation-f03de3e4

U.S. Ambassador to China Hacked in China-Linked Spying Operation

Spying campaign also compromised State Department official who oversees East Asia

The Wall Street Journal
Show threadKevin BeaumontJul 21, 2023

Just to loop this thread into this thread - I took a look at the attack path used in the M365 customer data breach.

A key part of the attack chain was documented by Microsoft at BlackHat in 2019.

https://cyberplace.social/@GossiTheDog/110736594147931759

Kevin Beaumont (@[email protected])

Attached: 2 images Been looking at Microsoft 365 email breach some more - it looks like Microsoft were aware of issues in same token validation space in Exchange Online 4 years ago. MS did a talk at BlackHat about it, after somebody external pointed out an invalid token allowed any email box to be accessed via consumer Outlook.com. They fixed that issue - but still allowed any valid MS token to access any email, so the threat actor stole one of the MSA certs. Talk: https://www.youtube.com/watch?v=KN6e1mqcB9s

Cyberplace
Show threadKevin BeaumontJul 21, 2023

Wiz have an in-depth look at what they think happened at Microsoft over the Microsoft 365 breach.

They nail a new detail - one of the 'acquired' signing keys expired in 2021, but apparently it was still valid in Microsoft's cloud services. https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog

Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.

wiz.io
Show threadKevin BeaumontJul 22, 2023

YOU MUST ONLY READ THE OFFICIAL BLOGS

there is no breach
there is no vulnerability
there are no zero days
*jedi wave*

https://therecord.media/microsoft-disputes-report-on-chinese-hacking

Microsoft disputes report that Chinese hackers could have accessed suite of programs

Microsoft is disputing a new report that claims hackers may have had access to more parts of victims’ systems than previously known in a campaign that targeted dozens of organizations, including government agencies.

Show threadKevin BeaumontSep 6, 2023

The Microsoft write up on how Microsoft 365 got owned to steal customer emails is out. It’s really good and honest from a technical level I think, if you’ve been following the details closely. Top points to the US Gov for forcing public disclosure originally btw.

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Results of Major Technical Investigations for Storm-0558 Key Acquisition

Show threadDan GoodinSep 6, 2023

@GossiTheDog Kevin, do you think Microsoft should disclose how the corporate account of its engineer got hacked? This seems like an important detail assuming Microsoft's goal is transparency.

Also, what do you think of the repeated use of the word "issue" in the post? Isn't "vulnerability" the correct term here?

Show threadJPSep 6, 2023
@dangoodin @GossiTheDog yes, I want to know how they just happened to have access when this crashdump just happened to come across the fence. Smells like persistent access to me. For how long? What else did they do or see? What other systems inside MS are at risk as a result?
Show threadi.grokSep 7, 2023
@daedalus @dangoodin @GossiTheDog if the crash dump had been exposed for years, they wouldn't need to lie in wait
Show threadAlesandro Ortiz 🇵🇷🏳️‍🌈Sep 6, 2023
@GossiTheDog Since this was detected by an enterprise customer, I wonder if the key leak would have been detected by Microsoft if the attacker had only used it to access consumer accounts (as intended). That would have been quite bad by itself.
Show threadDoesSec 🔐 🪪 ☕ Sep 6, 2023

@GossiTheDog

So the attackers discovered key material in Microsoft's super secure corporate environment that Microsoft itself didn't know had left the production environment, were able to exfiltrate the key material, and Microsoft doesn't want to have noticed any of this?

That sounds very unbelievable to me.

Show threadDave from accountingSep 6, 2023

@doessec @GossiTheDog
My mind was like "Riiiiight 🤫" APT just so happen to compromise an account and miraculously happen to find the proverbial needle in the haystack. And of course the log retention deleted all traces of this.

If I were to write the movie script, I would make it more believable, and put an insider threat in place that, when this person found that key just thought 💰💰💰 jackpot, retirement secured 😎

But, these guys would most likely have had that account compromised a long time and sifted through dumps on a regular basis looking for exactly something like this.

I would... 🤗

Show threadPreston de Guise 🏳️‍🌈✍🏼Jul 22, 2023
@GossiTheDog “Do not look at the man behind the curtain!"
Show threadC-richJul 22, 2023
@GossiTheDog
Smilyanets and Cimpanu both always provide intriguing content
Show threadChristoph StoettnerJul 22, 2023
https://de.web.img3.acsta.net/r_1024_576/medias/nmedia/18/66/75/86/18953144.jpg only faith is required @GossiTheDog
Show threadSimonoidJul 22, 2023
@GossiTheDog
Show thread𝖋𝖑𝖔𝖗𝖎𝖓 🇨🇦Jul 22, 2023
@GossiTheDog Don’t look up!
Show threadTim HergertJul 22, 2023
@GossiTheDog New MS Press lead
Show threadSam VargheseJul 22, 2023
@GossiTheDog https://itwire.com/open-sauce/azure-breach-microsoft-okays-wiz-post-on-continued-danger,-then-denies-it.html
iTWire - Azure breach: Microsoft okays Wiz post on continued danger, then denies it

Microsoft is continuing to obfuscate about a recent attack on its Azure cloud infrastructure, saying a post, that claims danger from the attack still exists, is speculative and not evidence-based. The company is mentioned in that same post as having checked the content for technical accuracy. Shir T...

Show threadFritz AdalisJul 21, 2023
@GossiTheDog
I wonder if they only checked that it was signed by the right ca?
Show threadFritz AdalisJul 21, 2023
@GossiTheDog
Or I could read the article which describes what happens.
Show threadTanawtsJul 21, 2023

@GossiTheDog Not Surprised <Surprised-Pikachu-Face>

The Emperor's New Certs

Certificate lifecycle management is tedious and hard at scale; shortcuts will be found in lots of places across the industry regardless of banner waving best practices :|

Show threadTindraJul 21, 2023
@GossiTheDog
Show threadocdtrekkieJul 21, 2023
@GossiTheDog I love when things like this make it really obvious moving Exchange to the cloud was an absolutely massive mistake.
Show threadstarbuck3000Jul 21, 2023
@GossiTheDog : I noticed that powershell tends to return up to 1'000 events but I hadn't heard about this limitation. Do you have more information about this? If this is true, the "audit log" should never be called as such.
Show threadJimJul 19, 2023
@GossiTheDog This sounded very serious indeed.
Show threadRicky BooneJul 19, 2023
@GossiTheDog oh, how gracious of them. 🙄
Show threadB-rad 🏳️‍🌈👨‍💻Jul 19, 2023
@GossiTheDog
Show threadPär BjörklundJul 15, 2023
@GossiTheDog with all the layoffs and worsening economy Microsoft probably couldn't afford E5
Show threadJimJul 14, 2023
@GossiTheDog They should be generating new private keys every 24 hours. And have the previous keys be valid for 72-96 hours.
Show threadNils Goroll 🕊️Jul 17, 2023
@toyotabedzrock @GossiTheDog on that matter: https://fosstodon.org/@slink/110729194847294335
Nils Goroll (@[email protected])

In the context of the latest #microsoft #breach https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/ : We run a daily job checking azure jwks from https://login.microsoftonline.com/<AUD>/discovery/v2.0/keys into git. Here's the history of key ids added and removed since 2022-12-05 (- removed, + added): 2023-06-01: -"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-02: +"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-03: -"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-22: -"l3sQ-50cCH4xBVZLHTGwnSR7680" 2023-07-13: -"Mr5-AUibfBii7Nd1jBebaxboXW0" more in 🧵#infosec

Fosstodon
Show threadJimJul 17, 2023
@slink @GossiTheDog Hmm so they aren't actually rotating just removing abused ones as if they attacker didn't grab them all.
Show threadSam VargheseJul 14, 2023
@GossiTheDog They have been doing it since 1975. What's new? Only the language used and Gates' whiny voice isn't there anymore.
Show threadFritz AdalisJul 15, 2023
@GossiTheDog
Maybe E5 was too expensive and they just don't have logs.
Show threadDan GoodinJul 14, 2023
@GossiTheDog What does this tell us that we didn't already know? Is it just the IoCs, or are there other new and helpful details?
Show threadKevin BeaumontJul 14, 2023
@dangoodin from a reporting point of view I don't think anything new, but good from customer point of view as it gives new things to look at
Show threadWill SmartJul 14, 2023

@GossiTheDog @dangoodin did we know this little tidbit before?

"Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."

Show threadDan GoodinJul 14, 2023
@GossiTheDog I have been on the sidelines when it comes to this event, but my impression has been that Microsoft is dancing around the precise role of its own cloud service in this breach. It's a vulnerability in their own cloud service. that is the root cause, yes? If so, shouldn't Microsoft say that?
Show threadDan GoodinJul 14, 2023
@GossiTheDog As Will notes, they say the "issue" has been corrected, when, in fact, the thing that has been corrected is a zeroday. They also reference consumer accounts in the "public cloud," when they should say OWA accounts. Do you agree with my read of today's post?
Show threadKevin BeaumontJul 14, 2023

@dangoodin I don't think Microsoft ever acknowledges vulnerabilities in their cloud services (also there's no CVEs for cloud), and you don't say breach at Microsoft.

So if you Ctrl+F I doubt you will find vulnerability or breach in relation to Microsoft.

They did say "exploit" in the original MSRC blog in relation to Microsoft's cloud services, and you exploit a vulnerability. So I think it's fair to say that, yes, they had vuln(s).

Show threadDan GoodinJul 14, 2023
@GossiTheDog Yeah, but the earlier post says only that the threat actor "exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail." Microsoft never says whose "issue" it was.
Show threadAdvanced Persistent TeapotJul 14, 2023
@dangoodin @GossiTheDog surely Azure AD isn't letting anyone else perform token validation on their behalf?
Show threadKevin BeaumontJul 14, 2023
@dangoodin it is Microsoft’s issue. They are the only party that validate Azure AD tokens.
Show threadJon (now at neuromatch.social)Jul 14, 2023
@GossiTheDog and they mention a "validation error in Microsoft code" which has since been fixed.

@dangoodin
Show threadCirioJul 15, 2023
@dangoodin @GossiTheDog Honestly the IoCs are a substantial addition to this case. I'm pleasantly surprised, I thought they would never publish them.
Show threadBrian ClarkJul 14, 2023
@GossiTheDog uhhhhhhmmmmm…why would they do this?
Show threadfaebudoJul 14, 2023
@deepthoughts10 @GossiTheDog Maybe you can buy additional logs per entry as an add-on just like with Teams Chat scanning?
Show threadChester Wisniewski 🇨🇦Jul 13, 2023
@GossiTheDog Could we also not charge extra for BitLocker? All editions of Windows must include FDE
Show threadHcInfosecJul 13, 2023
@GossiTheDog I think this is a very important issue. #microsoft365 should include security logs in every license for free. Because otherwise they knowingly sell an insecurable system.
#gdpr basic rights for customers.
Show threadMikeJul 13, 2023

@GossiTheDog given how much Azure fraud is a result of credential stuffing, I’ve long argued that MSFT might very well save money by taking the account protection features currently gated by E3/E5/AAD P1/P2 and making them free for everyone.

Even if they didn’t save money on that, like you said: they could afford it.

Show threadCorey GilmoreJul 13, 2023
@GossiTheDog I *hate* using security features as an upsell opportunity instead of a baseline requirement. Years ago Auth0 quoted us more for 2FA for identity users - I pushed back hard (and made it clear that they would be named in any breach comms), and they capitulated.
Show threadJosh SorefApr 4, 2024
@cfg @GossiTheDog thank you for your service
Show threadOut of Control   🇨🇦Jul 13, 2023
@GossiTheDog Three orgs I manage MS365 for, we had no idea about this, never heard from MS. Does this mean our email is safe, or do we worry? Always air on the cautious side, but thought I’d ask… :)
Show threadBrittJul 14, 2023
@outofcontrol @GossiTheDog Check the azure Logins report, I have seen a huge increase in attempts from China
Show threadTim SchofieldJul 13, 2023

@GossiTheDog

Yes!

*taps fingers*