Microsoft Exchange

The Department of Homeland Security's Cyber Safety Review Board (CSRB) has announced plans to conduct an in-depth review of cloud security practices following recent Chinese hacks of Microsoft Exchange accounts used by US government agencies.

The CSRB is a collaboration of public and private sectors, created to conduct in-depth investigations that offer a better understanding of critical events, discern root causes, and issue informed recommendations on cybersecurity.

In this case, CSRB will explore how the government, industry, and cloud service providers (CSPs) can bolster identity management and authentication in the cloud and develop actionable cybersecurity recommendations for all stakeholders.

Those recommendations will be forwarded to CISA and the current US administration, who will decide what actions must be taken to protect government systems and accounts.

"Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology," stated Alejandro Mayorkas, Secretary of Homeland Security

"Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure."

Storm-0558 hacks of Microsoft Exchange

In mid-July 2023, Microsoft reported that a Chinese hacking group tracked as 'Storm-0558' breached the email accounts of 25 organizations, including US and Western European government agencies, using forged authentication tokens from a stolen Microsoft consumer signing key.

Using this stolen key, the Chinese threat actors exploited a zero-day vulnerability in the GetAccessTokenForResource API function for Outlook Web Access in Exchange Online (OWA) to forge authorization tokens.

These tokens allowed the threat actors to impersonate Azure accounts and access email accounts for numerous government agencies and organizations to monitor and steal email.

After these attacks, Microsoft faced a lot of criticism for not providing adequate logging to Microsoft customers for free. Instead, Microsft required customers to purchase additional licenses to obtain logging data that could have helped detect these attacks.

After working with CISA to identify crucial logging data needed to detect attacks, Microsoft announced that they now offer it for free to all Microsoft customers.

Microsoft revoked the stolen signing key and fixed the API flaw to prevent further abuse. Still, their investigation of the incident failed to reveal exactly how the hackers acquired the key in the first place.

Two weeks after the initial discovery of the breach, Wiz researchers reported that Storm-0558's access was much broader than what Microsoft previously reported, including Azure AD apps that operate with Microsoft's OpenID v2.0.

Wiz revealed that the Chinese hackers could have used the compromised key to access various Microsoft applications and any customer applications that supported Microsoft Account authentication, so the incident might not be limited to accessing and exfiltrating emails from Exchange servers.

Given the severe nature of the breach, the extensive investigative efforts required, and the inconclusive findings to date, the US government has tasked the CSRB to conduct a comprehensive review of the case, hoping it will produce insights that will fortify users, defenders, and service providers against future threats.

CSRB's past reviews include the series of broadly-impacting vulnerabilities in the Log4j software in 2021 and the activities of Lapsus$, a hacking group that excelled in breaching Fortune 500 companies using simple yet highly effective techniques like SIM swapping and social engineering.

Related Articles:

Over 28,500 Exchange servers vulnerable to actively exploited bug

Microsoft Exchange 2019 has reached end of mainstream support

Get certified in Microsoft Azure with $61 off this exam prep bundle

Microsoft: New critical Exchange bug exploited as zero-day

Microsoft Exchange update enables Extended Protection by default