Listen to this blog post below
This post will take you through the latest Microsoft Outlook Email Security Breach, covering information on how it occurred, the threat actors behind it, and what Microsoft is doing to remedy the situation.
In an unprecedented cybersecurity incident that shook the cybersecurity and digital worlds, a Chinese threat actor has breached Microsoft Outlook email accounts. Here is a closer examination of the incident details, exploring the tactics employed by the threat actors and the extensive measures Microsoft took to address the situation.
How Did the Microsoft Outlook Breach Originate?
In April 2021, an unexpected event occurred – a computer crash. The crash inadvertently exposed a vital component known as the “consumer signing key.” This key, which should have remained securely isolated, unexpectedly entered the crash dump. It initiated a series of events that allowed the Chinese malicious actor known as Storm-0558 to infiltrate Microsoft’s email system.
The Significance of the Consumer Signing Key
The consumer signing key plays a critical role in Microsoft’s security framework. Its appearance in the crash dump resulted from a software error called a “race condition,” which can lead to unintended outcomes. The key material in the crash dump in the abovementioned incident went unnoticed within Microsoft’s corporate network’s debugging environment.
Intrusion by Storm-0558
With the consumer signing key now within reach, the Chinese threat actor Storm-0558 seized the opportunity to compromise email accounts and got successful with a Microsoft engineer’s corporate account. The engineer had access to the debugging environment containing the crash dump, which unfortunately still held the key. While specific logs couldn’t confirm the key’s extraction, it remains the most plausible explanation for Storm-0558’s key acquisition.
The Oversight in Key Scope Validation
To streamline its systems, Microsoft introduced a common key metadata publishing endpoint in September 2018 to serve consumer and enterprise accounts. However, during updates to libraries and documentation related to key scope validation, a critical oversight occurred, enabling malicious actors to utilize a regular key to access business emails, an unintended consequence of the system’s design.
Microsoft’s Response and Remediation: What did Microsoft do?
In the aftermath of the Microsoft email attacks, the organization undertook a comprehensive effort to rectify the situation. Multiple actions were taken, with a strong emphasis on bolstering email security measures, as listed below:
- Addressing the Root Cause: The primary cause of the breach, the race condition issue, was identified and resolved to prevent future occurrences.
- Enhanced Prevention, Detection, and Response: Microsoft fortified its mechanisms for handling key material in crash dumps to prevent sensitive data exposure in similar scenarios.
- Improvements in Credential Scanning: Measures were implemented to enhance credential scanning processes, reducing the likelihood of unauthorized access.
- Automated Key Scope Validation: Microsoft also introduced improved libraries to automate key scope validation in authentication libraries, minimizing the risk of key misuse.
The Impact of the Outlook Breach
The severity of this breach becomes evident when one considers its targets. Storm-0558 gained access to the email accounts of several prominent individuals, including Commerce Secretary Gina Raimondo, the Assistant Secretary of State – East Asia Daniel Kritenbrink, and the U.S. Ambassador to China Nicholas Burns, raising concerns about potential espionage and compromised communications.
Broader Implications and National Security
The Microsoft Outlook email hacking incident is a stark reminder of the escalating cybersecurity threats governments and organizations face worldwide. The event underscores the significance of robust email security measures, especially in cloud-based services, where spam filtering has become increasingly integral to people’s daily lives, ensuring their online communications remain safe and protected.
A Focus on Cloud Computing Safety
The federal Cyber Safety Review Board has acted in response to the breach. It will concentrate its efforts on examining malicious targeting of cloud computing environments, including the intrusion into Microsoft Exchange Online Protection by China-based threat actors. The broader review will encompass issues related to cloud-based identity and authentication infrastructure.
The Threat Actor Behind the Outlook Breach – Storm-0558
Storm-0558 is a China-based threat actor that has garnered attention due to its espionage objectives. Operating during typical Chinese working hours, they have historically targeted U.S. and European diplomatic, economic, and legislative entities, with a particular focus on individuals associated with Taiwan and Uyghur geopolitical interests.
Notably, Storm-0558 has displayed an affinity for infiltrating media companies, think tanks, and telecommunications providers, all in pursuit of unauthorized access to email accounts.
The Unprecedented Email Access: Storm-0558’s Specialty
Storm-0558 employs a variety of tactics to achieve its objectives. Historically, they have obtained initial access through phishing campaigns or exploiting vulnerabilities in public-facing applications, often resulting in web shell deployment. Among the arsenal of malware used by Storm-0558, one prevalent family is Cigril, launched via DLL (Dynamic-Link Library) search order hijacking.
Once inside a compromised system, Storm-0558 meticulously extracts credentials from various sources, including the LSASS process memory and SAM (Security Account Manager) registry hive. These credentials are then used to sign into the targeted user’s cloud email account.
The following are some of the tools and techniques used by Storm-0558 to infiltrate restricted user accounts:
1. Authentication Tokens Forgery
One of the most intriguing aspects of the Storm-0558 campaign is its ability to forge authentication tokens. These tokens play a critical role in validating the identity of entities seeking access to resources, such as email accounts. These tokens are typically issued by identity providers like Azure AD and signed using a private key. By correctly validating the token’s signature with the public key, relying parties trust the authenticity of the request.
Storm-0558, however, acquired an inactive Microsoft account (MSA) Consumer signing key, which was used to craft falsified tokens for Azure AD Enterprise and MSA Consumer to access OWA (Outlook Web Access) and Outlook.com. A validation error in Microsoft’s code made it possible for them. While Microsoft has rectified this issue, it’s a compelling example of the threat actor’s technical prowess.
2. PowerShell and Python Scripts
Storm-0558 relies on a set of PowerShell and Python scripts to make REST API (Application Programming Interface) calls to the OWA Exchange Store service. These scripts enable actions such as downloading emails and attachments, locating conversations, and retrieving email folder information. The threat actor can route web requests through Tor proxies or hardcoded SOCKS5 proxy servers, making detection more challenging.
The scripts can also contain sensitive information, including bearer access tokens and email data, which Storm-0558 leverages for OWA API interactions. Furthermore, they can refresh access tokens for subsequent commands.
3. Dedicated Proxy Infrastructure
Storm-0558’s campaign incorporates dedicated infrastructure, leveraging SoftEther proxy software, presenting a unique challenge by complicating detection and attribution. To combat this scenario, Microsoft Threat Intelligence had to develop profiling methods to track the infrastructure.
As part of the dedicated infrastructure, the threat actor introduced a web panel for authentication, further enhancing their capabilities. Microsoft deployed analytics to track it as a proactive response, leading to its identification.
What Next for Microsoft Outlook and the Public?
Microsoft’s response to this campaign has been comprehensive. It stopped the abuse of token renewal, blocked the usage of tokens signed with the acquired MSA key, and revoked all previously active keys. These actions were coupled with increased system isolation, refined monitoring, and transitioning to a hardened key store to provide better email protection.
Storm-0558’s activities have been effectively disrupted, and Microsoft continues to monitor the situation, bolstering defenses. As one reflects on the email hacking incident, it becomes clear that the cybersecurity landscape is continually evolving. Both public and private sectors must recognize the criticality of cloud infrastructure and collaborate effectively on email security measures.
How to Stay Safe While Using Microsoft Outlook
Ensuring your Microsoft Outlook security and protecting sensitive information is paramount, especially after the Outlook breach. Here are some steps and best practices to follow when using Microsoft Outlook:
1. Be Cautious of Phishing Attempts
Phishing emails often impersonate legitimate entities and attempt to trick you into revealing sensitive information. Be wary of unsolicited emails, especially those requesting personal or financial details. Verify the sender’s authenticity before clicking on links or downloading attachments.
2. Check Email Sender Information
Always double-check the sender’s email address. Malicious actors can create convincing email addresses that appear genuine at first glance. Look for subtle misspellings or inconsistencies.
3. Avoid Downloading Suspicious Attachments
Exercise caution when opening email attachments, mainly if the sender is unknown or the message seems unusual. Malware can be hidden in seemingly harmless files.
4. Use Secure Networks
Avoid accessing your email from public Wi-Fi networks, which can be less secure. Instead, use trusted and secure connections, especially when dealing with sensitive emails or attachments.
5. Educate Yourself and Your Team
Ensure that the employees of your organization are educated about Outlook security and general email security practices. Offer phishing awareness training to educate individuals on identifying phishing attempts and emphasize the significance of maintaining strong and unique passwords. This specialized training will help enhance their ability to detect phishing attacks and reinforce the importance of password security.
Final Words
The breach orchestrated by Storm-0558 serves as a wake-up call for anyone concerned with email protection and cybersecurity in general. It highlights the importance of vigilance, continual improvements in cybersecurity practices, and international cooperation to counter cyber threats. The lessons learned from this incident will undoubtedly shape the future of email security, influencing policies and regulations in the digital age.