web analytics

China-Based Hacker Hijacked EU, US Government Emails – Source: www.govinfosecurity.com

china-based-hacker-hijacked-eu,-us-government-emails-–-source:-wwwgovinfosecurity.com
Rate this post

Source: www.govinfosecurity.com – Author: 1

Cyberwarfare / Nation-State Attacks
,
Email Security & Protection
,
Fraud Management & Cybercrime

26 Countries Hit by Espionage Group Storm-0558 Through Microsoft Outlook Flaw

Jayant Chakravarti (@JayJay_Tech) •
July 12, 2023    

China-Based Hacker Hijacked EU, US Government Emails

Security experts say China-based hackers are “leading their peers in the deployment of zero-days” in the wake of another wide-ranging attack that abused a Microsoft Outlook flaw and used forged authentication tokens to access email accounts of governments in the United States and Western Europe.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

Microsoft and U.S. officials confirmed Wednesday that a threat actor based in China had hacked the Outlook email accounts of U.S. government agencies and at least 25 European governments for the purpose of espionage and data theft.

Microsoft said the threat actor, identified as Storm-0558, had been exploiting a token validation issue since May 13 and had used forged authentication tokens to gain access to the email accounts of Western European government agencies that used Outlook Web Access in Exchange Online and Outlook.com. U.S. cybersecurity and defense officials released an advisory warning about the attacks Wednesday but declined to say which agencies had been targeted. The U.S. State Department was reportedly among the victims.

“The Department of State detected anomalous activity, took immediate steps to secure our systems and will continue to closely monitor and quickly respond to any further activity,” a State Department spokesperson told CNBC.

Microsoft did not name the affected countries or government agencies but said it had started to receive customer reports about anomalous email activity beginning on June 16, and over the next few weeks, it had taken steps to prevent the malicious actor from accessing the compromised email accounts using tokens forged with acquired MSA keys.

“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor,” Microsoft said.

Microsoft has replaced the MSA key to prevent Storm-0558 from using it to forge tokens in the future, blocked the use of all tokens that were signed using the MSA key, and confirmed that the issue only affected Outlook.com and Outlook Web Access in Exchange Online.

China’s Growing Hacking Prowess

U.S. Sen. Mark R. Warner, D-Va., chairman of the Senate Select Committee on Intelligence, said the incident underscores the growing threat from hackers in the People’s Republic of China.

“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies,” Warner said in a statement. “Close coordination between the U.S. government and the private sector will be critical to countering this threat.”

Tom Gol, chief technology officer for research at Silicon Valley-based cybersecurity company Armis, told Information Security Media Group that the exploitation of the token validation issue in Outlook and OWA indicates a high level of expertise. “Organizations that use Outlook need to have robust security measures, such as multifactor authentication, strong password policies and regular security audits to defend against a threat of this nature,” he said.

Chief Analyst John Hultquist of cybersecurity company Mandiant said the attack shows how China’s tactics have evolved from broad campaigns that were far easier to detect to more targeted and stealthy attacks.

“Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us,” he said. “They are leading their peers in the deployment of zero-days, and they have carved out a niche by targeting security devices specifically.”

Hultquist believes Chinese cyber actors now know how to connect using elaborate, ephemeral proxy networks of compromised systems to make it harder for defenders to track their moves. “The reality is that we are facing a more sophisticated adversary than ever, and we’ll have to work much harder to keep up with them,” he said.

Timed With EU Meeting on China Strategy

Storm-0558 began targeting Western European government agencies one day after European Union leaders at a meeting in Stockholm discussed ways to recalibrate the EU’s policy toward China. The EU on May 17 issued a press release on the subject, calling China its largest trading partner but also a competitor and a systemic rival.

European Commission Vice President Josep Borrell highlighted the EU’s “growing risk of excessive dependencies on certain products and critical raw materials” on China and called for the diversification and reconfiguration of EU value chains and controls on inbound investment. “At over 400 billion euros a year, the EU’s trade deficit is at an unacceptable level. This is not due to the EU’s lack of competitiveness, but to China’s deliberate choices and policies,” he said.

The European Union in 2021 accused China of harboring cybercriminals who exploited vulnerabilities in the Microsoft Exchange server to target thousands of organizations worldwide, including government agencies and institutions in the EU.

“These activities can be linked to the hacker groups known as APT 40 and APT 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage. The EU and its member states strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behavior as endorsed by all UN member states,” it said.

US Government Agencies Targeted

The exploitation of a token validation flaw in OWA and Outlook.com by Storm-0558 also affected a limited number of U.S. government agencies. White House National Security Council spokesperson Adam Hodge told CNN that agencies had detected the exploitation in June and continue to work with Microsoft to mitigate its impact.

“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold,” he said.

Microsoft did not mention the targeting of U.S. government agencies in its blog post, but Executive Vice President Charlie Bell said the company is partnering with government agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, to protect Microsoft Cloud from intrusion attempts.

“We added substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments, and we have found no evidence of further access,” Bell said.

Original Post URL: https://www.govinfosecurity.com/china-based-hacker-hijacked-eu-us-government-emails-a-22527

Category & Tags: –

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
SALT
State of the CISO – a global report on priorities , pain points, and security gaps 2023 by SALT
State of the CISO –...
Nathalie Cole
How Much 10 Companies Paid Their Virtual CISO Service in 2022 Benchmark by Nathaniel Cole
How Much 10 Companies Paid...
Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
Tushar Subhra Dutta
Top 10 Cyber Attack Maps to See Digital Threats 2022 by Tushar Subhra Dutta – Cyber Security News.
Top 10 Cyber Attack Maps...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...
Forrester - Allie Mellen
Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR – EDR Is Dead, Long Live XDR by Allie Mellen – Forrester
Adapt Or Die: XDR Is...
CYBER LEADERSHIP INTITUTE
CISO PLAYBOOK: FIRST 100 DAYS Setting the CISO up for success
CISO PLAYBOOK: FIRST 100 DAYS...

LASTEST PUBLISHED POSTS

National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY...
PWNED LABS
Cloud Security Engineer Roadmap
Cloud Security Engineer Roadmap
tutorialspoint.com
Cloud Computing Tutorial Simply Easy Learning
Cloud Computing Tutorial Simply Easy...
SMITHA SRIHARSHA
CISSP Preparation Notes
CISSP Preparation Notes
CISSP Mind Map: All Domains
CISSP Mind Map: All Domains
Lansweeper
CIS 18 CRITICAL SECURITY CONTROLS CHECKLIST
CIS 18 CRITICAL SECURITY CONTROLS...
Semaphore
CI-CD with Docker and Kubernetes
CI-CD with Docker and Kubernetes
EC-MSP
BUSINESS CONTINUITY PLAN & DISASTER RECOVERY PLAN TEMPLATE
BUSINESS CONTINUITY PLAN & DISASTER...
PWC
Building a risk-resilient organisation
Building a risk-resilient organisation

More Latest Published Posts

40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015
IGNITE Technologies
Windows Exploitation Rundll32
Windows Exploitation Rundll32
IGNITE Technologies
Windows Exploitation Msbuild
Windows Exploitation Msbuild
HADESS
Web LLM Attacks
Web LLM Attacks
HADESS
Trended Protocols for Security Stuff
Trended Protocols for Security Stuff
Red Iberoamericana de Protección de Datos
Transferencia Internacional de Datos Personales – Guia de Implementación
Transferencia Internacional de Datos Personales – Guia de Implementación
CYFIRMA
TRACKING RANSOMWARE January 2024
TRACKING RANSOMWARE January 2024
https://www.linkedin.com/in/harunseker/
TOP Cyber Attacks Detected by SIEM Solutions
TOP Cyber Attacks Detected by SIEM Solutions
TRAVARSA
Top 100 Cyber Threats and Solutions 2024
Top 100 Cyber Threats and Solutions 2024
Top 50 Cybersecurity Threats
Top 50 Cybersecurity Threats
OWASP
Top 10 Considerations for Incident Response
Top 10 Considerations for Incident Response