Chinese Hackers

[kyonides]

Suspected Chinese Hack on US Government Worse Than Previously Thought

A recent cybersecurity breach of U.S. government emails may have reached further than initially thought, according to a new report by the cybersecurity firm Wiz.inc.

Earlier this month, Microsoft and U.S. government cybersecurity experts identified a breach of email systems tied to 25 organizations, including several U.S. government agencies. Microsoft attributed the security breach, which likely occurred in May, to a Chinese government-linked hacking group called Storm-0558. According to Microsoft, Storm-0558 obtained a private encryption key, known as an MSA key, and used it to forge access tokens for the Outlook Web Access (OWA) and Outlook.com services.
...
Reports have indicated that email accounts for U.S. Commerce Secretary Gina Raimondo were impacted, as were accounts belonging to U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asian and Pacific Affairs Daniel Kritenbrink.

At a July 12 press briefing, officials with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that no sensitive information was stolen during the hack.

Microsoft assessed that the hack only impacted its Outlook.com and Exchange Online services.

On Friday, Wiz published its own assessment finding that the way the hack had taken place could indicate a larger breach than Microsoft or U.S. government officials have let on thus far.

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions,” wrote Wiz researcher Shir Tamari.
...
Microsoft has denied Azure Active Directory applications have been harmed by the Storm-0558 hack.

In response to the Wiz report, a Microsoft spokesperson told NTD News: “This blog highlights some hypothetical attack scenarios, but we’ve not observed those outcomes in the wild. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we’ve made public.”
...
Sen. Ron Wyden (D-Ore.) said Microsoft should offer all of its full forensic capabilities to all of its customers, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”

Amid this pressure, Microsoft announced on July 19 that it would begin providing its standard Microsoft Purview Audit customers with “deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level.”
...
“These steps are the result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA) about the types of security log data Microsoft provides to cloud customers for insight and analysis.”