I came to the realization a long time ago that threat actors will work beyond individual organizations as targets to focus on common services. Possibly one of the most notable recent occurrences of this came just this month with Storm-0558 that focused on authentication tokens services such as Exchange online. If you haven’t seen this post on Security Week, it’s worth a read. The figure below in the linked article has a nice image representing the compromised key in regard to common applications:
Image reproduced from: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails - SecurityWeek
What becomes incredibly interesting is the detail of the Storm-0558 threat actor on this ‘big game’ target. From this report from Microsoft, this group was historically primarily going after Western diplomatic, economic, and government organizations or individuals aligned to certain geopolitical targets. This was different, it went after OAuth applications and stolen tokens. Which triggered a larger-scale behavior. It is important to note in the Microsoft report that in the end, credential theft from phish activities is a common starting point. This can lead to other problems and in the end reminds us of the basics of phish training, even for seasoned IT staff and administrators.
This write-up of the same topic on eSecurity Planet highlights how an acquired Microsoft account (MSA) consumer signing key was used as part of the threat behavior, and questions exist on how that happened.
I think a lot about what can happen with some of the cyberthreats that are out there today. One thing I always recommend is to have an absolutely independent copy of your data at the ready. This is very easily achieved with backup solutions such as Veeam, but if you ever have to mobilize or turn off a service, it’s critical you still have access to your data and move it to a new administrative boundary as quickly as possible.
It's likely we don’t yet know the full impact to Storm-0558’s actions here just yet but this is arguably one of the biggest ‘big game’ cyberthreats I am aware of. Have you seen any other similar type of incidents? Let’s discuss!
