On Friday, Microsoft attempted to explain the cause of a breach that gave hackers working for the Chinese government access to the email accounts of 25 organizations—reportedly including the US Departments of State and Commerce and other sensitive organizations.
In a post on Friday, the company indicated that the compromise resulted from three exploited vulnerabilities in either its Exchange Online email service or Azure Active Directory, an identity service that manages single sign-on and multifactor authentication for large organizations. Microsoft’s Threat Intelligence team said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion.
Above all else: Avoid the Z-word
In standard parlance among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services. A “zero-day” is a vulnerability that is known to or exploited by outsiders before the vendor has a patch for it. “Exploit” means using code or other means to trigger a vulnerability in a way that causes harm to the vendor or others.
While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and two others Microsoft published Tuesday, bend over backward to avoid the words “vulnerability” or “zero-day.” Instead, the company uses considerably more amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how nation-state hackers tracked the email accounts of some of the company’s biggest customers.
“In-depth analysis of the Exchange Online activity discovered that in fact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key,” Microsoft researchers wrote Friday. “This was made possible by a validation error in Microsoft code.”
Later in the post, the researchers said that Storm-0558 acquired an inactive signing key used for consumer cloud accounts and somehow managed to use it to forge tokens for Azure AD, a supposedly fortified cloud service that, in effect, stores the keys that thousands of organizations use to manage logins for accounts on both their internal networks and cloud-based ones.
“The method by which the actor acquired the key is a matter of ongoing investigation,” the post stated. “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens.”
Two paragraphs later, Microsoft said that Storm-0558 used the forged token to gain access to Exchange email accounts through a programming interface for Outlook Web Access (OWA). The researchers wrote:
Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.
A plain-English summary of the event would seem to be: Microsoft has patched three vulnerabilities in its cloud service that were discovered after Storm-0558 exploited them to gain access to customer accounts. It would also be helpful if Microsoft provided a tracking designation under the CVE (Common Vulnerabilities and Exposures) system the way other cloud companies do. So why doesn’t Microsoft do the same?
“I don’t think Microsoft ever acknowledges vulnerabilities in their cloud services (also there’s no CVEs for cloud), and you don’t say breach at Microsoft,” independent researcher Kevin Beaumont said on Mastodon. “They did say ‘exploit’ in the original MSRC blog in relation to Microsoft’s cloud services, and you exploit a vulnerability. So I think it’s fair to say that, yes, they had vuln(s).”
Microsoft issued the following comment: “We don’t have any evidence that the actor exploited a 0day.” Microsoft didn’t elaborate. In one of the two posts published on Tuesday, Microsoft said: “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.” Ars has asked for a clarification of exactly what was exploited by the threat actor.
Pay-to-play security
Besides being opaque about the root cause of the breach and its own role in it, Microsoft is under fire for withholding details that some of the victims could have used to detect the intrusion, something critics have called “pay-to-play security.” According to the US Cybersecurity and Information Security Agency, one federal agency that was breached by Storm-0558, it discovered the intrusion through audit logs that track logins and other important events affecting customers’ Microsoft cloud events.
Microsoft, however, requires customers to pay an additional fee to access these records. The cost for an “E5” enterprise license allowing such access is $57 per month per user, compared to an E3 license cost of $36 per month per customer.
“The fact that Microsoft only allows those who pay the extra money for E5 licensing to see the relevant log files is, well, something…” Will Dorman, senior principal analyst at Analygence, said in an interview. “If you’re not an E5-paying customer, you lose the ability to see that you were compromised.”
While Microsoft’s disclosures have been less than forthcoming in the role its vulnerabilities played in breaching the accounts of organizations, Friday’s disclosure provides helpful indicators that people can use to determine if they’ve been targeted or compromised by Storm-0558.