The Vulnerability of Zero Trust: Lessons from the Storm 0558 Hack

While IT security managers within both corporate enterprises and public institutions rely on the principle of Zero Trust, its practical effectiveness is being challenged by Advanced Persistent Threats (APTs). On the other hand, analysts recognize that achieving true Zero Trust necessitates a thorough understanding of one’s own network.

Introduction

Just recently, an attack believed to be perpetrated by the Chinese hacker group Storm-0558 targeted several government agencies. They used fake digital authentication tokens to access webmail accounts running on Microsoft's Outlook service. In this incident, the attackers stole a signing key from Microsoft, enabling them to issue functional access tokens for Outlook Web Access (OWA) and Outlook.com and to download emails and attachments. Due to a plausibility check error, the digital signature, which was only intended for private customer accounts (MSA), also worked in the Azure Active Directory for business customers.

In a recent development, a sophisticated attack, attributed to the Chinese hacking entity Storm-0558, has been directed towards several government entities (source here). The attackers employed fraudulent digital authentication tokens with the apparent goal of breaching webmail accounts that operate on the Microsoft Outlook service. This incident involved the compromise of a signing key owned by Microsoft, which subsequently enabled the threat actors to generate operational access tokens for both Outlook Web Access (OWA) and Outlook.com. As a result, unauthorized access was gained, allowing for the unauthorized retrieval of emails and associated attachments.

A notable oversight in the plausibility verification process occurred, inadvertently allowing the digital signature - originally intended for the exclusive use of private customer accounts (MSA) - to also function within the Azure Active Directory for corporate clientele.

Zero Trust and Its Origins: A Comprehensive Overview

Zero Trust embodies a strategic paradigm in cybersecurity that significantly bolsters an organization’s defense mechanisms by discarding the notion of inherent trust and perpetually verifying each phase of digital interactions. Built upon the foundational principle of ‘never assume, always verify,’ the Zero Trust approach is tailored to safeguard modern infrastructures and facilitate seamless digital progress. But how exactly does it achieve this? By leveraging robust authentication techniques, employing network segmentation, thwarting lateral movement, deploying Layer 7 threat prevention, and streamlining the implementation of precise ‘least access’ regulations.

The genesis of the Zero Trust concept can be traced back to the realization that conventional security models are founded upon an outdated assumption that all elements within an organizational network should be inherently deemed trustworthy. This misguided presumption creates an environment where, once within the network, users – including potential threats and malicious insiders – can navigate laterally without hindrance, gaining unauthorized access to sensitive data due to the absence of rigorous security controls.

Embracing the Era of Zero Trust Transformation

As indicated in a survey conducted by vendor Okta (State of Zero-Trust Security 2022), a significant 97% of participants have already adopted or are planning to implement a zero-trust strategy within the upcoming 18 months. This substantial surge in Zero Trust adoption has propelled the community of advocates from 24% in 2021 to an impressive 55% in 2022. The security model known as Zero Trust is recognized as a comprehensive security approach and is strategically designed to perpetually scrutinize, and validate access to resources, both internal and external. A multitude of organizations are wholeheartedly embracing this security strategy, rooted in the principle that network components and users consistently substantiate their identities, as trust is no longer conferred automatically.

State of Zero Trust Security 2022, Okta

Zero Trust relies on the continual observation and adaptable management of applications, users, and devices. It constrains resource access to the utmost essentials, subjecting all identities on the system to evaluation based on identical benchmarks applied to hosts. The overarching objective is to elevate security by exclusively permitting entry to individuals who consistently validate their identities and whose actions remain consistently subject to examination.

Looking Beyond the Boundaries: Unveiling Network Realities

Undoubtedly, Identity and Access Management (IAM) serves as a foundational pillar within the framework of Zero Trust. Unfortunately, the continuous validation of user identities falls short in cases involving identity theft. Furthermore, attackers can maneuver around these protocols by manipulating meta-data, like the apparent geolocation of a potential login, employing a spoofed VPN address. The responsibility of Intrusion Detection and Prevention Systems (IDS/IPS) encompasses the identification of dubious or unauthorized activities, viral infiltrations, malware and ransomware, zero-day assaults, SQL injections, and more. However, IDS/IPS systems often solely recognize established signatures, such as previously documented malicious domains or IP addresses. Should a domain not have been red flagged as malicious in advance, conventional security solutions could neglect it, inadvertently allowing attackers to exploit this weak link in the chain. Consequently, traditional cybersecurity mechanisms can occasionally stumble in effectively operationalizing the principles of Zero Trust.

To implement a Zero Trust security strategy effectively, enterprises are progressively gravitating towards network analysis solutions, a recommendation underscored by the analyst firm Forrester ("The Network Analysis and Visibility Landscape, Q1 2023"). According to the insights from Forrester, professionals tasked with security and risk management are advised to harness the capabilities of Network Detection and Response (NDR) tools.

These tools facilitate continuous network monitoring, threat identification, application and asset detection, as well as the interception of malicious data packets. These steps help IT systems identify threats more effectively.

Network Detection & Response (NDR): The Silent Champion of Zero Trust Security

NDR solutions are essential components in the establishment of a resilient and efficient Zero Trust framework. They deliver immediate, real-time insights into network traffic, oversee user conduct and device operations, and empower rapid identification and reaction to suspicious network operations or anomalous behaviors. This comprehensive visibility encompasses all operating systems, application servers, and IoT devices.

Forrester has emphasized that the significance of enterprise networks in cyberattacks is often underestimated. Cybercriminals employ fraudulent identities or zero-day exploits, then move laterally across the network to look for targets, access privileged systems, install malware, and steal corporate data. When an attacker is already within the network, NDR makes it easier to identify lateral movement or internal reconnaissance, in which the attacker scouts possible targets. Notably, NDR systems amass data from all switches and operate seamlessly without necessitating agents, thus accommodating environments where agent installation may not be feasible.

Machine Learning NDR: Setting the New Standard for Anomaly Detection

Leveraging the capabilities of Machine Learning (ML), Network Detection and Response (NDR) systems exhibit the competence to identify irregular network traffic patterns without necessitating the reliance on pre-stored, known “Indicators of Compromise” (IoCS). These ML-driven models are designed for ongoing training, which empowers them to discern emerging threats and novel attack techniques. This method offers early attack mitigation and considerably speeds up the identification of harmful activity. Additionally, it helps detect unusual or suspect behaviour and reduces the amount of time attackers may remain undetected within a network, improving overall security.

How ExeonTrace, a leading ML-based NDR, analyzes meta data in order to provide network visibility, anomaly detection and incident response.

Conclusion

Machine learning algorithms create a foundation for typical network conduct by analysing data and algorithms, enabling them to comprehend the customary communication patterns within the network. These algorithms can identify deviations from this set baseline since they have been trained to understand what “normal” behaviour for the network looks like. Suspicious connections, odd data transfers, traffic patterns that deviate from accepted standards, lateral network movements, data exfiltration, and more are examples of these aberrations.

As the threat of cyber-attacks becomes increasingly complex, organizations must go beyond conventional security procedures to defend their networks. In order to boost their security defences, many businesses are increasingly turning to Machine Learning (ML) and predictive analytics. ExeonTrace is one example of an ML-driven Network Detection & Response (NDR) solution that is intended to assist enterprises in keeping ahead of the constantly changing threat landscape. By applying sophisticated ML algorithms that dissect network traffic and application logs, ExeonTrace provides enterprises with the ability to quickly identify and respond to even the most complex cyberattacks.

Exeon, located in Switzerland, is a prominent provider of NDR solutions with a solid knowledge base and a foundation built on cybersecurity experience. ExeonTrace, the NDR platform, provides complete network monitoring backed by powerful Machine Learning technology. It provides automatic identification of possible cyber threats, making it an essential tool for Security Operations Center (SOC) teams and Chief Information Security Officers (CISOs) dedicated to building and maintaining a robust Zero Trust security strategy.

Interested in learning how Exeon’s NDR strengthens cybersecurity and allows effective Zero Trust implementations? Consider scheduling a demo with Exeon to see firsthand how Zero Trust and cyber resilience are implemented!