Zimbra Zero-Day Exploited to Hack Government Emails

Google’s Threat Analysis Group (TAG) revealed on Thursday that a Zimbra Collaboration Suite zero-day was exploited earlier this year to steal email data from government organizations in several countries. 

The existence of the vulnerability, tracked as CVE-2023-37580, became public in mid-July, when Zimbra notified customers of its email server solution. 

The flaw, described as a reflected cross-site scripting (XSS) bug, allows an attacker to execute malicious code by sending emails containing specially crafted URLs to the targeted organization. 

In order for the exploit to be successfully executed, the targeted user needs to click on the malicious link while they are authenticated to a Zimbra session.

Shortly after Zimbra announced an official patch on July 25, Google’s TAG warned that in-the-wild exploitation had been observed, but did not share any information about the attacks. 

The internet giant has now revealed that it saw the first campaign exploiting CVE-2023-37580 on June 29. This campaign was aimed at a government organization in Greece and the attacker leveraged a previously documented framework to steal emails and attachments. The framework can also be used to automatically forward emails to addresses controlled by the attacker.

Roughly one week after Google spotted this campaign, on July 5, Zimbra published a hotfix for the vulnerability to its GitHub repository, but an official patch had yet to be released.

Then, on July 11, Google observed a second campaign exploiting the Zimbra zero-day, this time targeting government organizations in Moldova and Tunisia. The company linked the attacks to Winter Vivern, a Russian APT known for using Zimbra exploits, including in attacks aimed at NATO countries. 

Advertisement. Scroll to continue reading.

Zimbra published a security advisory on July 13 to warn customers about the vulnerability. However, before the official patch was released on July 25, Google came across a third campaign, which targeted a government organization in Vietnam. In this case, the attacker leveraged the exploit to take users to a phishing page that instructed them to enter their webmail credentials.

After the patch was released by Zimbra, Google spotted a fourth campaign, targeting a government organization in Pakistan.

“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google said. 

It added, “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”

CISA’s Known Exploited Vulnerabilities Catalog includes seven other Zimbra Collaboration Suite flaws, a majority discovered in 2022. 

Related: Russia-Linked APT ‘Winter Vivern’ Targeting Governments in Europe, Asia 

Related: CISA Urges Organizations to Patch Actively Exploited Zimbra XSS Vulnerability

https://www.securityweek.com/zimbra-zero-day-exploited-to-hack-government-emails/




Proofpoint to Acquire Tessian for AI-Powered Email Security Tech

Enterprise security vendor Proofpoint on Monday announced plans to acquire email security specialists Tessian to beef up its ability to spot and block risky user behaviors, including misdirected email and data exfiltration.

Financial terms of the deal were not disclosed.

Tessian, a British startup that sells cloud email security software, was last valued at $500 million after its Series C funding round. The company raised approximately $128 million since launching in 2013 with ambitious plans to disrupt the email security market.

For the Thoma Bravo-owned Proofpoint, the deal removes a formidable startup competitor from the crowded email security marketplace and adds technology to address some of the most frequent forms of data loss, including misdirected email and data exfiltration

In a note announcing the transaction, Proofpoint pointed out that misdirected emails (sending emails to the wrong recipient) and mis-attached files are major causes of compliance violations and accidental data loss for organizations, noting that defenders are slow to detect and remediate a data loss and exfiltration incident caused by employee negligence.

Proofpoint vice president Darren Lee said the plan is to embed Tessian’s behavioral and dynamic detection platform into its own products to provide security tools that integrate natively with Microsoft 365 and Google Workspace.

The deal is seen as another sign of consolidation in an ultra-competitive email security category. Earlier this year, Cisco acquired Armorblox and venture capital investors place billion-dollar valuations on startups like Material Security and Abnormal Security.  

Advertisement. Scroll to continue reading.

Other well-funded email security firms include Agari ($85 million raised), Valimail ($84 million raised), Area 1 ($82 million raised), Abnormal ($285 million), Avanan ($41 million), Inky ($32 million), and GreatHorn ($22 million). 

Related: Analysis: The Race to Find Profits in Securing Email

Related: Email Security Vendors Score Billion-Dollar Valuations

Related: Thoma Bravo Buys Proofpoint in $12.3 Billion All-Cash Deal

Related: Email Security Firm Tessian Raises $65 Million at $500 Million Valuation

https://www.securityweek.com/proofpoint-to-acquire-tessian-for-ai-powered-email-security-tech/




LinkedIn Smart Links Abused in Phishing Campaign Targeting Microsoft Accounts

A recently identified phishing campaign is relying on LinkedIn smart links to bypass email defenses and deliver malicious lures into Microsoft users’ inboxes, email security firm Cofense reports.

A legitimate feature connected to LinkedIn’s Sales Navigator services, smart links allow businesses to promote websites and advertisements, redirecting users to specific domains.

Threat actors, however, are relying on the feature to redirect users to malicious websites that attempt to steal their credentials and personal information, abusing the inherent trust that email gateways have in LinkedIn.

While LinkedIn smart links have been abused in malicious attacks before, the recently observed phishing campaign stands out with more than 80 unique smart links embedded within over 800 phishing messages delivered to recipients from various industries, Cofense says.

The campaign, the email security firm says, likely employed newly created or compromised LinkedIn business accounts to deliver document, financial, general notification, and security themed lures to unsuspecting victims.

A smart link typically includes the LinkedIn domain followed by a parameter and an eight-alphanumeric character ID, but the threat actors added other pieces of information as well, including the recipient’s email address, to autofill the malicious phishing form the victim is redirected to, and which asks for their Microsoft account credentials.

According to Cofense, the campaign mainly targeted employees at financial and manufacturing organizations. However, energy, construction, healthcare, insurance, mining, consumer goods, and technology organizations were targeted as well.

Advertisement. Scroll to continue reading.

“Despite finance and manufacturing having higher volumes, it can be concluded that this campaign was not a direct attack on any one business or sector but a blanket attack to collect as many credentials as possible using LinkedIn business accounts and smart links to carry out the attack,” Cofense notes.

Related: US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform

Related: New Phishing Campaign Launched via Google Looker Studio

Related: Malicious QR Codes Used in Phishing Attack Targeting US Energy Company

https://www.securityweek.com/linkedin-smart-links-abused-in-phishing-campaign-targeting-microsoft-accounts/




Google, Yahoo Boosting Email Spam Protections

Google and Yahoo on Tuesday announced a series of new requirements meant to improve email phishing and spam protections for their users.

Starting with the first quarter of next year, both email service providers will require that bulk senders first authenticate their emails using industry best practices, which should improve users’ trust in the source of messages.

The new requirement is intended to prevent incidents where attackers take advantage of bulk senders’ improperly secured or configured systems.

“To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be. As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the internet,” Google explains.

“Sending properly authenticated messages helps us to better identify and block billions of malicious messages and declutter our users’ inboxes,” Yahoo notes.

Next year, both email service providers will also require that bulk senders provide users with the option to easily unsubscribe from commercial emails, with a single click, and that the senders honor the request within two days.

Furthermore, both Google and Yahoo will enforce a clear spam rate threshold for large senders, thus ensuring that users receive less unwanted emails in their inboxes.

Advertisement. Scroll to continue reading.

“Yahoo looks forward to working with Google and the rest of the email community to make these common sense, high-impact changes the new industry standard,” Yahoo senior director Marcel Becker said.

According to Google, while numerous senders already meet these requirements, the upcoming changes should be considered basic email hygiene by all senders. Large senders are encouraged to consult Google’s guidance before the new policies are enforced (starting February 2024).

Both Google and Yahoo encourage the email community to adhere to these practices to improve user protection and security.

“Keeping email more secure, user friendly and spam-free requires constant collaboration and vigilance from the entire email community. And we’ll keep working together to make sure your inbox stays safe,” Gmail product manager Neil Kumaran said.

Related: Google Now Lets US Users Search Dark Web for Their Gmail ID

Related: Google Workspace Client-Side Encryption Now Generally Available in Gmail, Calendar

Related: Email – The System Running Since 71’

https://www.securityweek.com/google-yahoo-boosting-email-spam-protections/




Unpatched Exim Vulnerabilities Expose Many Mail Servers to Attacks 

The existence of several unpatched vulnerabilities impacting Exim mail transfer agent (MTA) installations was disclosed last week, more than one year after they were initially reported to developers. 

Trend Micro’s Zero Day Initiative (ZDI) learned about six Exim vulnerabilities last year and reported the findings to the MTA software’s developers in June 2022. However, Exim developers have only now started working on patches, with accusations being made by both sides.

Exim, a piece of software used to receive and relay emails, is present on hundreds of thousands of servers. Vulnerabilities affecting the software can be highly valuable to threat actors, which have been known to exploit Exim flaws in their attacks. 

ZDI last week released six individual advisories describing the flaws, reported to the company by an anonymous researcher. The most serious of them, rated ‘critical’ and tracked as CVE-2023-42115, can be exploited by a remote, unauthenticated attacker to execute arbitrary code.

Three other flaws, classified as ‘high severity’ and tracked as CVE-2023-42116, CVE-2023-42117 and CVE-2023-42118, can also be exploited for remote code execution without authentication.

The remaining two issues have a lower severity rating and their exploitation can lead to information disclosure.

According to ZDI’s timeline, the vulnerabilities were reported to Exim developers in June 2022 and ZDI reached out for an update in late April 2023, with the bug reports being resent to Exim in May. 

Advertisement. Scroll to continue reading.

ZDI made its advisories public on September 27 and a public discussion regarding the flaws was initiated late last week on the Openwall mailing list. 

Exim is working on patches and says they should become available shortly, though there still seems to be some confusion within Exim on what exactly has been reported via ZDI. Developers claim the vulnerabilities can only be exploited if certain features are used. 

Exim developers have complained that ZDI failed to provide needed clarifications between its initial report in June 2022 and May 2023. 

Some have argued that it has still taken Exim developers a long time to start addressing the flaws, even if it only learned about them in May. 

In response to the Exim team’s complaints, ZDI said, “The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, ‘you do what you do’.” 

Related: NSA: Russian Agents Have Been Hacking Major Email Program

Related: Critical Remote Code Execution Vulnerability Patched in Exim Email Server

https://www.securityweek.com/unpatched-exim-vulnerabilities-expose-many-mail-servers-to-attacks/




Email – The System Running Since 71’

Email has been around a long time. My early days of remote communication started in the “You’ve got mail” era, with AOL dominating the US market share of dial up internet as well as email.  Other free email services emerged, and companies looking to expand globally saw email as a cheaper and quicker communication tool to conduct business.  In the Early 2000s, it was common to see companies host their own internal email servers, often managing users through Active Directory, the dominate Identity and Access management tool at the time. Linux alternatives existed, however was limited to companies who could hire dedicated support to keep those systems running. One important thing to know is that email was not initially designed with security in mind. Since the very early versions of email dating back to the 1980s, we have been retrofitting new types of security on top of existing versions to adapt to modern technologies and protocols.  However, many email configurations are purposefully designed to be backwards compatible which can often weaken an organization’s security posture.

In the modern evolution of email, we see that many organizations have switched to using “managed email” as a service provider. Common ones that stand out are Office365 by Microsoft, Gsuite by Google, Zoho workplace by Zoho. All of these services allow for maximum uptime and availability, while minimizing the cost of hardware and allowing for quick scaling across number of users. In addition to large providers, there are countless smaller providers who often bundle web hosting and email together, like Go Daddy or Bluehost, with a reduced feature set.

From corporate finances to daily tasks, many businesses rely on email to keep things running. It’s one of the few cross-business communication tools we have in place, other than phone or physical mail. It’s also one of the most targeted and successfully compromised systems in the world today. I’ll explain best practices on email, as well as common pitfalls in configuration.

Hosted vs. SaaS

Managed providers can offer varying levels of service at different price points. Most people would agree that using a managed provider outweighs the risk of hosting email within your business. You don’t have to worry about patching, taking a servicer down for maintenance, replacing certificates, or archiving mail to long term storage. A consideration that users should be aware of is the far-reaching implications of having access to one’s email. Email access often is connected with many other corporate tools through third party connections and processes. Some examples might include purchasing software, financial tracking, logistics, or private code repositories. This essentially provides a one stop shop for a malicious user to gain access to multiple systems at once.

Unfortunately, leaked passwords are still one of the most common ways malicious actors get into email. Password dumps are when commonly used websites containing user information are compromised, and the database of passwords were stolen. Actors will either sell or post these emails and passwords on public sites. The major problem here is not that the website was hacked, but that many users reuse the same passwords across other websites. This means a user could have the same password on a website as their corporate email. When this happens, all it takes is for an attacker to try the same password combination across multiple services until they get access.

Small details make a big impact

Advertisement. Scroll to continue reading.

The biggest benefit with managed email providers is their willingness to implement security seriously and adapt to an organization. Typically, by default, these providers offer basic protection and enable most encryption features. Some other basic protection might include spam filtering and malicious URL filtering, and common settings around SPF, DKIM and DMARC. However, the users have the ability to override default settings, and may not understand the consequence. One example is changing the settings to increase compatibility across older devices or software, protocols known as POP3 and IMAP. These systems allow for email to be downloaded and replicated to a compatible device; however, the authentication mechanism only uses a username and password, and does not necessarily need to be sent over an encrypted channel.  These open you up to a few weaknesses that you may be unaware of.

1) Password spraying – Guessing the passwords for users over months or years without any lockout period

2) Lack of MFA – These protocols do not support multifactor authentication

3) Lack of Encryption – These features may not support encryption in transit.

There are hundreds of settings that can have far reaching consequences. I encourage administrators to understand the settings through the service that they procure.  To further protect email, some new security vendors are parsing emails to look for pig butchering or invoice scams, which look for behavioral clues compared to a standard baseline that an organization might have. These can help layer on protection to prevent fraud or deception early, often targeted towards certain users (such as your CEO or CFO).  

Email continues to be the communication tool of choice with over 125 billion exchanged every day and Forcing users to use MFA can prevent 99.9% of attacks. Even with other remote tools growing in popularity, such as Slack and Zoom, we continue to see email as the dominate player in the communication space. Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.

https://www.securityweek.com/email-the-system-running-since-71/




Salesforce Email Service Zero-Day Exploited in Phishing Campaign

Threat actors have exploited a Salesforce zero-day vulnerability and abused Meta features in a sophisticated phishing campaign, according to web browsing security company Guardio.

Attackers sent out legitimate-looking emails designed to lure targeted users to a phishing page where they were instructed to hand over their Facebook account information, including their name, account name, email address, phone number, and password.

The emails mentioned the targeted user’s real name, appeared to come from ‘Meta Platforms’, and were sent from an @salesforce.com address. 

A button included in the email led users to a legitimate Facebook domain, apps.facebook.com, where they were informed about violating Facebook’s terms of service. When users clicked on a button to resolve the issue, they were taken to a phishing page that instructed them to provide their information. 

The fact that the email came from an @salesforce.com address and the link it included pointed to facebook.com helped the phishing emails bypass traditional security mechanisms.

Guardio’s analysis revealed that the attackers had targeted the Email Gateway component in the Salesforce CRM, specifically an ‘Email-To-Case’ feature designed to convert customer inbound emails into actionable tickets in Salesforce. By abusing this feature, the attacker managed to receive verification emails that gave them control over a genuine Salesforce email address that they could use to send out the phishing emails.

As for Facebook, the phishing page was hosted on a legacy web games platform offered by Facebook until 2021. While the platform has been discontinued, games developed prior to this date can still receive support and it appears that the attackers gained access to an account associated with such a game. They used that account to host their phishing page.  

Guardio notified Salesforce on June 28 and a fix was rolled out to all impacted services and instances within a month, preventing the use of an address from the Salesforce domain to send emails. Salesforce said it had no evidence of impact to customer data. 

Advertisement. Scroll to continue reading.

Meta’s engineering and security teams were also notified and they removed the malicious accounts and game. The company also said it was conducting a root cause analysis to determine why its existing detections and mitigations failed to prevent the abuse. 

Related: Salesforce Paid Out $12.2 Million in Bug Bounty Rewards to Date

Related: Companies Still Exposing Sensitive Data via Known Salesforce Misconfiguration

Related: Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information

https://www.securityweek.com/salesforce-email-service-zero-day-exploited-in-phishing-campaign/




Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft Azure AD enterprise signing key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,” Wiz researcher Shir Tamari said in a document posted online.

Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.

When Microsoft acknowledged the hack and the stolen MSA key, the software giant said Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique but new research shows that “this incident seems to have a broader scope than originally assumed.”

“Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” the company said in a document that provides technical evidence that the stolen MSA key could have been used to forge access tokens Azure Active Directory applications, SharePoint, Microsoft Teams and Microsoft OneDrive.

“Organizations using Microsoft and Azure services should take steps to assess potential impact [beyond email],” Tamari said.

The Wiz research follows news that Chinese hackers were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license.

Advertisement. Scroll to continue reading.

Earlier this week, Microsoft bowed to public pressure and announced it would free up access to cloud security logs and expand logging defaults for lower-tier M365 customers to help with post-incident forensics.

However, Wiz’s Tamari is cautioning that it may be difficult for Redmond’s customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process.

Although Microsoft has revoked the compromised key, meaning that Azure Active Directory applications will no longer accept forged tokens as valid tokens, Tamari says some problems remain.

“Tokens with extended expiration dates will also be rejected by these applications. However, during previously established sessions with customer applications prior to the revocation, the malicious actor could have leveraged its access to establish persistence. This could have occurred by leveraging the obtained application permissions to issue application-specific access keys or setting up application-specific backdoors,” he added.

“We believe this event will have long lasting implications on our trust in the cloud and the core components that support it,” Wiz said, noting that it’s very difficult to determine the full extent of the incident. 

“There were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” the company added.

Wiz’s Tamari is recommending that Microsoft customers urgently update Azure SDK deployments to the latest version and ensure application cache is updated to mitigate the risk of a threat actor using the compromised key.

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

https://www.securityweek.com/microsoft-cloud-hack-exposed-more-than-exchange-outlook-emails/




In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories

Google restricting internet access to reduce cyber risk

Saying its employees are a frequent target of attacks, Google is enlisting employees for a pilot program to work without internet access, CNBC reports. The company reportedly selected 2,500 employees to participate but has since opened it up to volunteers, and will allow select employees to opt out.

Millions of US military emails leaked 

Advertisement. Scroll to continue reading.

Millions of email messages destined for US military addresses were erroneously sent to a domain for the African country of Mali. Due to a one-character typo, documents, medical data, travel information and more were sent to .ml addresses instead of .mil. The Department of Defense reportedly says it has controls in place to prevent emails from being sent to the wrong addresses, but the situation has been ongoing for roughly a decade. 

A quantum cybersecurity agenda for Europe

A discussion paper (PDF) on why the European Union needs to develop a European quantum ecosystem to counter challenges arising from the rapid development of quantum computers. Threat actors, the paper notes, are already harvesting encrypted information they can decrypt once cryptographically significant quantum computers emerge. 

CISA recommends free cloud tools

New CISA guidance (PDF) recommends a set of open source tools that organizations can use to assess their security stance, harden their infrastructure against malicious attacks, and to improve their detection and investigation capabilities in the cloud. These include The Cybersecurity Evaluation Tool, SCuBAGear, The Untitled Goose Tool, Decider, and Memory Forensic on Cloud. 

Acting cyber director will not get permanent role due to personal debts

Acting national cyber director Kemba Walden will not be offered the position permanently, “because of personal debt issues”, a source told Reuters. Walden took her role in February, overseeing the implementation of the US’s National Cybersecurity Strategy.

OpenSSH remote code execution vulnerability 

A vulnerability (CVE-2023-38408) in OpenSSH’s forwarded ssh-agent allows a remote attacker to execute commands. The ssh-agent is a widely used background program for caching private keys used for public key authentication, but connections to it can be forwarded, exposing the system administrator’s workstation to potential attacks. However, its potential impact is not as significant as it might sound, security researcher Kevin Beaumont says.

New KillNet capabilities

Mandiant has analyzed the recent increase in capability and shift in tactics showcased by the pro-Russia hacktivist collective KillNet, which is known for targeting US and European entities, including NATO. This “potentially indicates a significant increase in outside investment in the collective, further suggesting a potential tie to the Russian state”.

Chinese espionage group behind advanced Android surveillanceware

Cybersecurity firm Lookout believes that the Chinese espionage group APT41 is responsible for the advanced Android spyware dubbed WyrmSpy and DragonEgg. Also known as Barium and Winnti, the state-sponsored group has been active since 2012, targeting government organizations for espionage and private entities for financial gain.

New Splunk OT offering improves visibility in physical and industrial environments

Splunk announced Splunk Edge Hub this week, a new solution designed to simplify the ingestion and analysis of data generated by sensors, IoT devices and industrial equipment, and provide more complete visibility across IT and OT environments by streaming previously hard-to-access data directly into the Splunk platform.

Industrial control systems: engineering foundations and cyber-physical attack lifecycle

ICS security engineer Marina Krotofil has published a technical paper on cyber-physical systems (CPS), their security, and the lifecycle of a cyberattack against industrial control systems (ICS). The paper explores the interaction with the CPS from an attacker’s perspective and aims to share light on the required defenses. 

https://www.securityweek.com/in-other-news-military-emails-leaked-google-restricts-internet-access-chinese-spyware/




Chinese Cyberspies Used Forged Authentication Tokens to Hack Government Emails

Microsoft reported on Tuesday that a Chinese cyberespionage group it tracks as Storm-0558 was recently spotted using forged authentication tokens to hack government email accounts.

According to the tech giant, the hackers gained access to the email accounts of roughly 25 organizations, including government agencies and consumer accounts belonging to individuals associated with the targeted entities.

Microsoft’s investigation showed that the threat actor forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. Specifically, the attackers used a Microsoft account (MSA) consumer signing key to forge the tokens.  

“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” Microsoft explained. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor.”

The company pointed out that only OWA and Outlook.com were targeted using forged authentication tokens. 

Microsoft said it became aware of the attacks on June 16 and an investigation showed that the activity began one month earlier. 

The company took steps to mitigate the attack, including blocking the usage of tokens signed with the compromised key and replacing the key itself. Impacted customers have been notified and provided with information needed for incident response. 

Advertisement. Scroll to continue reading.

Microsoft said the Storm-0558 group mainly targets government agencies in Western Europe, focusing on cyberespionage, data theft, and credential access. 

However, CNN learned that unclassified US government email accounts have also been targeted by the Chinese cyberspies. The vulnerability that made the attack possible was reportedly discovered by the US government, specifically the State Department, which then notified Microsoft. 

Microsoft also revealed on Tuesday, when it informed customers about over 130 new vulnerabilities, including several actively exploited zero-days, that a Russian threat actor known as Storm-0978 and RomCom had exploited a zero-day tracked as CVE-2023-36884 in attacks targeting defense and government entities in Europe and North America.

The group has been known for its cybercriminal activities, but it recently turned to espionage. It has been observed targeting NATO Summit guests and other entities supporting Ukraine. 

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Related: A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War

https://www.securityweek.com/chinese-cyberspies-used-forged-authentication-tokens-to-hack-government-emails/