Microsoft hit by Storm season – a tale of two semi-zero days
The Background
Microsoft recently published a report detailing a hack in which data from approximately 25 organizations, including government agencies and public cloud consumer accounts, was accessed without authorization. Although the attack targeted a relatively small number of organizations, it potentially affected a significant number of individuals, given the size of some US government bodies.
Fortunately, Microsoft‘s threat hunters were able to track down the tricks and bypasses used in the attack, and they have determined that the list of affected organizations is complete. If individuals have not heard directly from Microsoft about being a part of the hack, they can assume they are in the clear. The security vulnerabilities that allowed the attack have already been fixed “in house” by Microsoft, so there is no need for users to install any critical patches themselves.
Semi-Zero Days: The Vulnerabilities
The vulnerabilities exploited in this attack are referred to as “semi-zero days.” Zero-days are security holes that are exploited by hackers before the affected company or organization is aware of them. In this case, the vulnerabilities were not officially classified as zero-days by Microsoft, but they were still exploited by the attackers before Microsoft could address them.
The incident serves as a reminder of the challenges faced in applied cryptography, security segmentation, and threat hunting. Applied cryptography can be complex, requiring not only the selection of the right algorithms but also their correct implementation and management of cryptographic keys. Security segmentation, which involves dividing complex systems into separate parts, requires thorough testing to ensure the separation works as intended. Lastly, threat hunting often requires looking beyond the obvious explanations and continuously searching for potential exploits and vulnerabilities.
The Attack Method
The attackers gained unauthorized access to victims’ Exchange data through Outlook Web Access (OWA) by using illicitly acquired authentication tokens. Authentication tokens are temporary web cookies that online services use to verify a user’s identity in subsequent interactions. Normally, traffic between users and online services is secured using the HTTPS protocol, which encrypts data before it leaves the user’s browser and decrypts it upon reaching the intended server. However, the attackers managed to intercept authentication tokens and bypassed the security measures by exploiting vulnerabilities in Microsoft‘s back-end operations.
Detection and Response
Microsoft‘s security team discovered the fraudulent email interactions and realized that the issue was not on the client side of the network connection. This insight allowed them to focus their investigation on the servers responsible for generating authentication tokens. They determined that the attackers had stolen a consumer-level authentication key instead of a corporate-level key, resulting in the use of incorrect tokens for their access requests. This anomaly became a reliable indicator of compromise, enabling Microsoft to identify all instances of the attack and create an exhaustive list of affected customers.
Advice and Recommendations
If individuals have not been contacted by Microsoft about this particular attack, it is unlikely that they were affected. The necessary security remedies have already been applied within Microsoft‘s cloud service, so there is no need to install any additional patches. However, individuals involved in IT, such as programmers and quality assurance practitioners, should take note of the challenges highlighted by this incident.
Applied cryptography: Properly implementing and managing cryptographic systems is crucial for maintaining security. The correct algorithms must be chosen, implemented securely, and used correctly. The management of cryptographic keys requires suitable long-term care.
Security segmentation: Dividing complex systems into separate parts must be accompanied by thorough testing to ensure the separation functions as intended. It is essential to probe and test the security of the separation to detect potential vulnerabilities that could be exploited by attackers.
Threat hunting: The first and most obvious explanation for an attack may not always be the correct one. It is essential to continue investigating until all actual exploits used in the attack are identified. Additionally, identifying and patching related vulnerabilities proactively is vital for ensuring comprehensive security.
In conclusion, cybersecurity is an ongoing journey that requires constant vigilance and adaptation. By understanding the challenges and lessons from incidents like the Microsoft hack, individuals and organizations can better protect themselves from future cyber threats.
For the latest computer security news, follow @NakedSecurity on Twitter.
<< photo by SHVETS production >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- 5G Network Slicing Security: NSA and CISA Join Forces to Provide Essential Guidance
- The Perils of USB-Based Cyberattacks: Sogu, SnowyDrive Malware Raises Concerns
- FIN8 Evolves Tactics: Unleashing BlackCat Ransomware through Modified ‘Sardonic’ Backdoor
- WooCommerce Vulnerability Exposes Countless Websites to Potential Attacks
- “Biden’s Bold Move: A New Era in Cybersecurity with Smart Device Labeling”
- The Rise of FIN8: Analyzing the Modified Sardonic Backdoor and Its Role in BlackCat Ransomware Attacks