Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach
Cyber Security Threat Summary:
China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.
The compromised accounts primarily focused on Indo-Pacific diplomacy. Although the stolen emails were unclassified, the breach raised concerns about cybersecurity. Microsoft had previously mitigated an attack by a China-linked threat actor known as Storm-0558, which targeted customer emails, including government agencies in Western Europe. The attackers exploited a token validation issue and forged authentication tokens to gain access to email accounts. Microsoft's investigation revealed that the threat actors had stolen a signing key from a Windows crash dump in April 2021, which contributed to the breach.
Security Officer Comments:
Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email. The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook[.]com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. In early September, Microsoft shared a comprehensive technical investigation into the way attackers gained access to the Microsoft account consumer signing key.
Suggested Correction(s):
The IT giant announced it had revoked all valid MSA signing keys to prevent attackers from accessing other compromised keys. Below are the improvements implemented after the investigation:
- Identified and resolved race Condition that allowed the signing key to be present in crash dumps.
- Enhanced prevention, detection, and response for key material erroneously included in crash dumps.
- Enhanced credential scanning to better detect presence of signing key in the debugging environment.
- Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation.
https://securityaffairs.com/151685/hacking/u-s-state-department-stolen-emails.html