{"id":95470,"date":"2023-07-13T07:45:00","date_gmt":"2023-07-13T07:45:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=95470"},"modified":"2023-07-13T07:45:00","modified_gmt":"2023-07-13T07:45:00","slug":"microsoft-issues-new-warning-over-chinese-cyber-espionage","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=95470","title":{"rendered":"Microsoft issues new warning over Chinese cyber espionage"},"content":{"rendered":"
<\/div>\n

A Chinese-state advanced persistent threat<\/a> (APT) actor tracked as Storm-0558 hacked into email accounts at multiple government agencies, and was able to lay low for over a month until being discovered and kicked out by Microsoft, it has been revealed.<\/p>\n

In a disclosure notice published on Tuesday 11 July<\/a> to coincide with its monthly round of security updates, Microsoft revealed details of an investigation it undertook based on customer reporting, beginning on 16 June.<\/p>\n

It found that beginning on 15 May, Storm-0558 accessed email data across 25 different organisations, and a smaller number of related personal email accounts from people associated with said organisations, using forged authentication tokens via an acquired Microsoft account consumer signing key.<\/p>\n

Microsoft Security executive vice-president Charlie Bell said: \u201cWe assess this adversary [Storm-0558] is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.<\/p>\n

\u201cMicrosoft\u2019s real-time investigation and collaboration with customers let us apply protections in the Microsoft Cloud to protect our customers from Storm-0558\u2019s intrusion attempts,\u201d he said. \u201cWe\u2019ve mitigated the attack and have contacted impacted customers. We\u2019ve also been partnering with relevant government agencies like DHS CISA. We\u2019re thankful they and others are working with us to help protect affected customers and address the issue. We\u2019re grateful to our community for a swift, strong and coordinated response.<\/p>\n

\u201cThe accountability starts right here at Microsoft,\u201d said Bell. \u201cWe remain steadfast in our commitment to keep our customers safe. We are continually self-evaluating, learning from incidents, and hardening our identity\/access platforms to manage evolving risks around keys and tokens.\u201d<\/p>\n

\n

<\/i>Token validation issue<\/h3>\n

HackerOne<\/a> EMEA solutions architect Shobhit Gautam explained that the root cause of the intrusion was most likely a token validation issue.<\/p>\n

\u201c[This] was exploited by the actors to impersonate Azure Active Directory [AD] users and gain access to enterprise mail,\u201d he said. \u201cSince the MSA key and Azure AD keys are generated and managed separately, the issue would lie in the validation logic.<\/p>\n

\u201cFor a successful exploitation, an attacker would need to gather information specific to the target \u2013 MSA Consumer Keys \u2013 and so would be fairly complicated to exploit. However, once in, the attacker would be able to have significant impact due to the ubiquity of the software,\u201d said Gautam. \u201cExploiting vulnerabilities in the supplier network has become a key tactic in the attacker\u2019s playbook.<\/p>\n

\u201cThe best way to identify complex vulnerability risk is to take an outsider\u2019s mindset that looks at how an attacker might make use of a variety of weaknesses to chain together to have a far more powerful impact. Government has been quick on the update of harnessing human intelligence to secure their defences.\u201d<\/p>\n

Mandiant<\/a> chief analyst John Hultquist said: \u201cChinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with. They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.<\/p>\n

\u201cRather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us. They are leading their peers in the deployment of zero-days and they have carved out a niche by targeting security devices specifically.<\/p>\n

\u201cThey\u2019ve even transformed their infrastructure \u2013 the way they connect to targeted systems,\u201d he said. \u201cThere was a time when they would come through a simple proxy or even directly from China, but now they are connecting through elaborate, ephemeral proxy networks of compromised systems. It\u2019s not uncommon for a Chinese cyber espionage intrusion to traverse a random home router. The result is an adversary much harder to track and detect.<\/p>\n

\u201cThe reality is that we are facing a more sophisticated adversary than ever, and we\u2019ll have to work much harder to keep up with them.\u201d<\/p>\n

This is the second time in a little under two months that Microsoft has gone public with accusations of coordinated cyber espionage campaigns by the Chinese state.<\/p>\n

Towards the end of May<\/a>, in collaboration with the UK\u2019s National Cyber Security Centre and its counterparts in Australia, Canada, New Zealand and the US, it highlighted the nefarious activities of an APT actor dubbed Volt Typhoon, which targeted operators of critical national infrastructure, including sites on Guam, a Pacific island territory of the US that would be of immense military value in any Western response to a hypothetical Chinese invasion of Taiwan.<\/p>\n

The Chinese government accused Microsoft and its government partners of being \u201cextremely unprofessional\u201d in response.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

A Chinese-state advanced persistent threat (APT) actor tracked as Storm-0558 hacked into email accounts at multiple government agencies, and was able to lay low for over a month until being discovered and kicked out by Microsoft, it has been revealed. In a disclosure notice published on Tuesday 11 July to coincide with its monthly round […]<\/p>\n","protected":false},"author":1,"featured_media":95471,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-95470","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/95470","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=95470"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/95470\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/95471"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=95470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=95470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=95470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}