After 'Mitigated' Microsoft Cyber Attack, Partners Mull Best Security Practices

Following a Microsoft cyber attack that gave nation-state actors access to email accounts of high-ranking officials, channel partners and IT professionals are weighing what measures can tighten the security of their cloud environments.

Microsoft reported earlier this week that a threat actor gained access to email accounts in approximately 25 organizations. The affected organizations were primarily government agencies but also included individuals who were likely consumers associated with those agencies. The perpetrators gained access to Outlook Web Access in Exchange Online (OWA) and Outlook.com.

U.S. officials disclosed that the threat actors accessed the emails of U.S. commerce secretary Gina Raimondo as well as other members of the Commerce Department and State Department, according to the New York Times.

Microsoft stated that it “completed mitigation” for everyone impacted by the attack and said it has not found indications of any additional access by the threat actor. Moreover, the company “added substantial detections” for instances related to the attack.

Microsoft identified the threat actor as Storm-0558, a group based in China that has historically attacked Western European government agencies. Storm-0558 has historically sought to conduct espionage, stealing data and accessing credentials, according to Microsoft. Microsoft’s threat researchers describe Storm-0558 as a nation-state actor.

The Attack

According to Microsoft, Storm-0558 started accessing email data on May 15, 2023. The group forged authentication tokens by way of stealing a cryptographic key from Microsoft.

Opkalla’s Steve Ermish

Specifically, threat actors nabbed an MSA key associated with consumer accounts. Microsoft notes that one uses MSA keys for consumer accounts and Azure AD keys for enterprise. But despite not possessing an Azure AD key, Storm-0558 “exploited a token validation issue” and managed to get into enterprise mail.

“Hackers were able to use the tool that creates the certificate to create their own ‘skeleton key’ tokens,” said Steve Ermish, who serves as chief operating officer for the North Carolina-based technology advisor Opkalla. “This means that they could essentially bypass the authentication process and gain access to another customer’s data. How was a tool so important able to be accessed and used?”

A federal government agency made a report to Microsoft about “anomalous mail activity” on June 16. Microsoft said it has been working in tandem with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) to resolve the issue.

“Microsoft has mitigated the acquired MSA key and our telemetry indicates the actor activities have been blocked,” the company said in a blog.

The attack came in the months before Gina Raimondo, who has criticized the Chinese government, visited China, the New York Times noted.

Andrew Braunberg, principal analyst for Omdia’s SecOps practice, described the attacks on State Department and Commerce Departmetn accounts as “very targeted and strategic.”

Omdia’s Andrew Braunberg

“… it was ahead of important bilateral meetings with the U.S. No general response is warranted, and Microsoft claims it has ‘completed mitigation of these attack for all customers.’ The attack on the cloud-based email system had successfully forged authentication tokens and was only discovered after the fact by examining email access logs,” said Braunberg, whose team at Omdia shares a parent company with Channel Futures (Informa).

Microsoft Cyber Attack: Recommendations Moving Forward

CISA and the Federal Bureau of Investigation (FBI) in a July 12 dossier said that Microsoft bore the responsibility for mitigating the attack. But the entities …

… outlined a list of steps organizations can take to make their cloud environments more secure.

That includes separating administrator accounts from user accounts, using a telemetry hosting solutions like SIEM. They also urged that organizations review contracts with their cloud service providers to determine appropriate monitoring and logging is in place.

Moreover, the government organizations urged organizes to enable audit logging. For example, the U.S. Office of Management and Budget retains Microsoft audit logs in active storage for at least a year.

Entara’s Michael Brunetti

Michael Brunetti, who serves as director of professional services for the remediation and managed security services provider Entara, said the latest Microsoft cyber attack can serve as a call to action for businesses to do their due diligence on cybersecurity.

“IT security needs to be a priority to organizations, and make sure you leverage the resources out there to know what controls (following a well reputable cybersecurity framework like CIS or NIST) you should put in place, or else you can spend your entire budget on software, tools, or services without properly securing your business.”

Entara rarely provides its threat containment and infrastructure remediation for cases of espionage. However, Brunetti said the partner’s often involve Microsoft.

“Of the over 175 breaches Entara has assisted in recovering over the past three years, 90% of them had Microsoft-based Active Directory authentication as the primary source of compromise and vehicle to deploy their malware and crypto ransomware,” he told Channel Futures.

Steve Ermish, who leads Opkalla’s Microsoft CSP practice, said the latest incident points to the “perennial challenge” for balancing security with convenience.

“On the one hand, organizations need to protect their data from unauthorized access. On the other hand, they also need to make it easy for users to access the data they need to do their jobs. Microsoft’s services offer a good example of this balance. Users can authenticate once and then receive a token that certifies their identity. This token is generated by a Microsoft certificate that is encrypted and almost impossible to break,” Ermish told Channel Futures.

Ermish he expects that new documentation will address key management systems (KMS) and create more security layers while maintaining convenience.

“This incident shines a light on the many layers that exist in security, and a business is only as secure as its weakest layer,” he said.