Threat Brief: Storm-0558 Unleashes Authentication Token Forgery

Threat Brief: Storm-0558 Unleashes Authentication Token Forgery

Threat Name:
Storm-0558 – Authentication Token Forgery

Threat Summary:

Storm-0558 is suspected to be a China-based, nation-state threat actor whose TTPs are closely aligned with espionage objectives. This threat actor managed to compromise an inactive MSA signing key which was then used to sign fabricated authentication tokens. Authentication tokens are short-lived credentials that are used to authenticate users to a service. They are typically generated by a server and then passed to the client. The client then presents the token to the server to prove that it is authorized to access such service. Storm-0558 acquired an inactive Microsoft account (MSA) consumer signing key, and then the key was used to sign MSA authentication tokens. The group was then able to use this key to forge authentication tokens for Azure AD enterprise and MSA consumer accounts. These forged tokens allowed Storm-0558 to access OWA and Microsoft has since invalidated all MSA keys that were active prior to the incident.

Lumifi’s Analysis:

We’ve concluded that the specific exploit utilized in this attack isn’t reliably detectable due to the attack being performed by compromising an MSA key and signing a fabricated authentication token. However, this threat actor has been observed performing specific activities shortly after exploitation which are reliably detectable.

Lumifi Current Coverage:

Lumifi currently has a number of detections in our content library that would successfully detect this threat actor’s exploitation attempts and attack chain. Our foreign login-based rules would detect this attack upon successful authentication of the threat actor. Additionally, we have developed and tailored a number of rules around suspicious O365 and email activity ranging from potential exfiltration detections to logins from a new IP.

Referenced Article(s):

Chandler Emhoff

Chandler Emhoff

Chandler Emhoff is an information security professional with 8 years of experience in an array of different roles. He started as an ethical hacker with a focus on social engineering and black-box network intrusion and since has pivoted to both blue and purple team roles. Today he has been a Threat Content Developer and Detection Engineer for Lumifi Cyber for 2 years and has been integral in MITRE ATT&CK framework mapping, threat research, and porting scans to our ShieldVision platform.


Stay Informed

Subscribe now to receive timely threat intelligence updates and stay ahead of evolving cyber threats.