• EN

Cyberthreat News: All data is a target with big game hunters

Rick Vanover
Userlevel 7
Badge +10

I came to the realization a long time ago that threat actors will work beyond individual organizations as targets to focus on common services. Possibly one of the most notable recent occurrences of this came just this month with Storm-0558 that focused on authentication tokens services such as Exchange online. If you haven’t seen this post on Security Week, it’s worth a read. The figure below in the linked article has a nice image representing the compromised key in regard to common applications:
 

Image reproduced from: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails - SecurityWeek

What becomes incredibly interesting is the detail of the Storm-0558 threat actor on this ‘big game’ target. From this report from Microsoft, this group was historically primarily going after Western diplomatic, economic, and government organizations or individuals aligned to certain geopolitical targets. This was different, it went after OAuth applications and stolen tokens. Which triggered a larger-scale behavior. It is important to note in the Microsoft report that in the end, credential theft from phish activities is a common starting point. This can lead to other problems and in the end reminds us of the basics of phish training, even for seasoned IT staff and administrators.

This write-up of the same topic on eSecurity Planet highlights how an acquired Microsoft account (MSA) consumer signing key was used as part of the threat behavior, and questions exist on how that happened.

I think a lot about what can happen with some of the cyberthreats that are out there today. One thing I always recommend is to have an absolutely independent copy of your data at the ready. This is very easily achieved with backup solutions such as Veeam, but if you ever have to mobilize or turn off a service, it’s critical you still have access to your data and move it to a new administrative boundary as quickly as possible.

It's likely we don’t yet know the full impact to Storm-0558’s actions here just yet but this is arguably one of the biggest ‘big game’ cyberthreats I am aware of. Have you seen any other similar type of incidents? Let’s discuss!

Twitter @RickVanover | Email: rick.vanover@veeam.com

10 comments

coolsport00
Userlevel 7
Badge +17

Just finished reading the details behind this threat this morning. This wasn’t (isn’t) a good one. Umm...not sure any are ‘good’ regardless, but this could have widespread damage we don’t yet know the extent of….

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Rick Vanover
Userlevel 7
Badge +10

Indeed @coolsport00 → Any incident will have knowns and unknows, however the clarity and detail in the response is solid: Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog and this: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email | MSRC Blog | Microsoft Security Response Center

Twitter @RickVanover | Email: rick.vanover@veeam.com
coolsport00
Userlevel 7
Badge +17

Yeah..I read that first link, then finished from this wiz.io link this morning:

https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

Not sure MS fully knows themselves the full extent of this threat. Hopefully, their mitigation measures take care of further attacks from this.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Rick Vanover
Userlevel 7
Badge +10

I thought this was a good piece of advice (from here: Enhanced Monitoring to Detect APT Activity Targeting Outlook Online | CISA)

Next few bits are quoted from CISA link above:

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled.

  • Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
  • Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
  • Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
  • Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.
Twitter @RickVanover | Email: rick.vanover@veeam.com
coolsport00
Userlevel 7
Badge +17

Solid advice!

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Chris.Childerhose
Userlevel 7
Badge +20

Thanks for the share and advice.  Read over that and wow what a threat.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dloseke
Userlevel 7
Badge +6

Oh...I seem to have missed this.  Now I have about 6 tabs of reading to do...thanks guys!

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
MarcoLuvisi
Userlevel 7
Badge +5

If we want to sleep well at night, let's make sure we have a consistent and hardened Veeam Backup for our Customers.
I don't want to go back to an isolate single PC connected to the Internet to look at mail and surf...

Marco Luvisi | VCP-VCAP | MCP | NCDA-NCSE | VMTSP | SCA | VUG Italy Leader
marcofabbri
Userlevel 7
Badge +13

Waking up this morning with this news shared via Lkdin and media was a shock and this 

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,

is no joke. This is a seriuous threat.

@Rick Vanover this reminds me of the magnitude of cyber attack to Solarwinds.

Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
Chris.Childerhose
Userlevel 7
Badge +20

Waking up this morning with this news shared via Lkdin and media was a shock and this 

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,

is no joke. This is a seriuous threat.

@Rick Vanover this reminds me of the magnitude of cyber attack to Solarwinds.

That was the other one I thought of when I read this about MS.  Very bad for sure.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions