Recently, Microsoft reported that the company was the subject of a cyberattack from an external threat actor called Storm-0558. Microsoft stated that the objective of most Storm-0558 campaigns was to obtain unauthorized access to email accounts belonging to employees of targeted organizations. The modus operandi employed by the threat actor was to gain access through credential harvesting, phishing campaigns, and OAuth token attacks.
It's important to note that the actors were keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. According to Dark Reading, a stolen Microsoft account (MSA) key enabled the Storm-0558 APT group to create fake authentication tokens, posing as authorized Azure AD users, which granted them entry into Microsoft 365 enterprise email accounts. This breach potentially provided access to sensitive information within these accounts.
I’m sure there are a lot of interpretations along with Do’s and Dont’s that are being recommended, Analyzing this incident from an access abuse perspective, four critical considerations stand out
Microsoft reported that the actor’s core working hours are consistent with working hours in China, this highlights the importance of granular access and tracking users and their source and location of access. Granular access and tracking of the users login sources and patterns of access to detect anomalies are foundational to detecting access abuse. However, that seemed insufficient to prevent this attack
The pilfered MSA key could have also allowed the threat actor to generate access tokens for various Azure Active Directory applications, including those that support personal account authentication like SharePoint, Teams, OneDrive, and customers' applications using the 'login with Microsoft' feature, as well as multitenant applications.
Microsoft Account (MSA) keys are the foundation for authentication in the Microsoft ecosystem, allowing users access to various services like Azure Active Directory (Azure AD), Microsoft 365, and more. Unfortunately, when these keys fall into the wrong hands, they can lead to devastating consequences. Federated access can be a boon or a bane as this incident clearly demonstrates
Unfortunately, complex APT attacks are hard to detect, let alone the mitigation. It takes a long time before such breaches are reported. We have seen this too often, as in the case of the Okta breach. The underlying complexity and the absence of authentication logging in many organizations means that the full extent of the actual compromise resulting from this incident will likely require several weeks, if not months, to ascertain. The initial activity of Storm-0558 was reported on May 15, 2023; the actual breach report came on July 11, 2023.
PAM solutions gate activities at the session level to block suspicious activities. But with stolen credentials and an external threat actor compromise, this current incident demonstrates that a PAM solution couldn't have blocked these activities
Irrespective of the end game of the threat actors, the foundations for most of the breaches stem from compromised credentials (source: Verizon 2023 Data Breach Investigations Report). Current IAM and PAM solutions aren't purpose-built to address escalating behaviors of the Advanced Persistent Threats. Privilege abuses are hard to detect and pose significant challenges for organizations. Amongst all the various security-related events within organizations, access events are Here-And-Now events. A minute late may prove to be too late
Malicious actors who gain privileged access can exploit their extensive permissions without raising alarms, making it difficult for traditional security measures to identify and prevent such abuse effectively. Therefore, there is a crucial requirement for a tool capable of real-time detection and remediation of both known and unknown behaviors across an organization's perimeter. This tool should rely on advanced behavioral analytics and artificial intelligence to continuously monitor user activities, analyze access patterns, and promptly detect any suspicious or anomalous behavior associated with privilege abuse. With such a robust solution in place, organizations can proactively protect their critical assets and respond swiftly to potential threats, minimizing the risks posed by privilege abuse.