Storm-0558 – Authentication Token Forgery
Storm-0558 is suspected to be a China-based, nation-state threat actor whose TTPs are closely aligned with espionage objectives. This threat actor managed to compromise an inactive MSA signing key which was then used to sign fabricated authentication tokens. Authentication tokens are short-lived credentials that are used to authenticate users to a service. They are typically generated by a server and then passed to the client. The client then presents the token to the server to prove that it is authorized to access such service. Storm-0558 acquired an inactive Microsoft account (MSA) consumer signing key, and then the key was used to sign MSA authentication tokens. The group was then able to use this key to forge authentication tokens for Azure AD enterprise and MSA consumer accounts. These forged tokens allowed Storm-0558 to access OWA and Outlook.com. Microsoft has since invalidated all MSA keys that were active prior to the incident.
We’ve concluded that the specific exploit utilized in this attack isn’t reliably detectable due to the attack being performed by compromising an MSA key and signing a fabricated authentication token. However, this threat actor has been observed performing specific activities shortly after exploitation which are reliably detectable.
Lumifi Current Coverage:
Lumifi currently has a number of detections in our content library that would successfully detect this threat actor’s exploitation attempts and attack chain. Our foreign login-based rules would detect this attack upon successful authentication of the threat actor. Additionally, we have developed and tailored a number of rules around suspicious O365 and email activity ranging from potential exfiltration detections to logins from a new IP.