The Key to Hacker Happiness

How Hackers obtained unauthorized access into Microsoft accounts, what malicious activities they now operate and how NDR protects organizations from APTs

Introduction: Microsoft’s recent incident by threat actor Storm-0558

This past July 2023, mail accounts of several government agencies were accessed by hackers, including some in the US and Western Europe: in this Advanced Persistent Threat (APT), also reported by Microsoft in its own blog, very sophisticated attackers hypothetically affiliated with the Chinese state (China-based actor Storm-0558) had accessed email accounts of about 25 organizations for an extended period of time already, including government organizations. The group had forged digital authentication tokens to access the webmail accounts running on Microsoft's Outlook service. It was initially (but probably not only) used to gain the ability to access Exchange Online and Outlook content.

Stolen Key Allows Wide-Ranging Access to Microsoft Cloud Services

The hackers had used a stolen MSA private key to forge security tokens and used them to gain broad access to Microsoft cloud services. To do this, they applied the fake digital authentication token to access webmail accounts running on the company's Outlook service using a Consumer Signing Key.

This is what happened step by step:

1. The attackers somehow managed to steal a signing key from Microsoft.
2. They could then use this to issue working access tokens for Outlook Web Access (OWA) and Outlook.com and - using scripts - downloaded e-mails and attachments.
3. An error at the validity check implied that the digital signature, which was only intended for private customer accounts (MSA), also worked in Azure Active Directory for business customers.
4. The stolen key now also granted access to an Azure Active Directory (Azure AD or AAD) OpenID signing key and could be used to create access tokens for user accounts for almost all Microsoft cloud services, besides Outlook, Office, SharePoint and MS Teams.
5. The stolen key is not only used on Microsoft's Exchange Online, but everywhere in the Microsoft cloud: it can sign all OpenID v2.0 access tokens for accounts and Azure Active Directory applications.
6. It is now possible to penetrate all Azure AD instances used by Microsoft and their cloud applications, since they are familiar to the other AD instances and often have a "Login with Microsoft" activated.
7. The compromised key could affect all Microsoft APPs.

Now, of course, several questions arise:

• Why was the problem not discovered for so long and,
• Why was Microsoft unable to prevent it?
• Why did no SIEM, IAM or Endpoint Security sound the alarm?
• Why was it only found when a customer notified Microsoft of a suspicious login and why is the software giant from Redmond still not 100% sure on what really happened?
• What must be done to protect systems from incidents like these?

Practice What You Preach!

There are two sides to this story. First, what Microsoft should have done to prevent harm from its customers. This is what US senator Ron Wyden accused Microsoft wrote in a letter to the heads of the US Justice Department, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission. The company should not have had one single master key that, if stolen, could be used to gain access to almost all of its customers' private communications; Microsoft’s signing keys should have been stored in a hardware security module (HSM) whose function is to prevent the theft of such keys. And as the MSA key, used in this hack was created in 2016 and expired in 2021, it should have been renewed as by the time being (it could have already been compromised, obviously). And 4th: the authentication tokens signed with an expired key should never have been able to be accepted as “valid”.

But the more important question for most of us might be: what can individuals and companies do to defend themselves against APTs like the one from Storm-0558, now and in the future?

Well, Identity and Access management (IAM) plays a fundamental role in any security stack, unfortunately the constant verification of users' identity, was helpless in this case of "stolen identity". And even the influence of meta information, e.g., the geolocations of a potential log-on, could be bypassed in this case by using a faked VPN address.

IDS/IPS systems are supposed to detect suspicious or unauthorized activities such as the given attack, but also virus infections, malware and ransomware, zero-day attacks, and SQL injection, among others. Regrettably an IDS/IPS only detects one, known signatures e.g., domains or IP addresses, which are already listed. That means one must know what they are looking for, otherwise, they won't find anything. But, if domains were not previously signed as malicious, traditional security solutions won't find anything and attackers will always get into the weak link in the chain.

The Storm-0558 breach was ultimately found via a long-lasting authentication log file evaluation by Microsoft analysts.

What does that mean for companies’ future cybersecurity systems? An application log monitoring system that reviews logs from all applications and automatically detects anomalies or suspicious activities in real-time could have seen anomalies, caused by the intruders. Also, an authentication log monitoring to record authentication events across all systems and a SIEM to correlate and analyse those login activities, alerts on failed login attempts. (Unusual login patterns, and unauthorized access to promptly respond to potential security threats). While the still unsolved issue with every SIEM solution stays, which is its tremendous number of false positives and the need to program the use cases before to make corelation visible.

What About EDR?

One might say: if there are Windows event logs, on which is looked at, alerting shall be possible or not? Well, on EDR, data is collected by agents for each single device. That means that there is a dependency on each agent and its "performance". In general, there are regrettably various techniques to avoid detection by EDR, in evading EDR detection mechanisms or using special techniques to bypass specific EDR systems:

The range here goes from polymorphic malware, capable of continuously changing its appearance and behaviour to make detection by signature based EDR tools difficult, attacks on EDR infrastructure, where attackers directly attack the EDR infrastructure by exploiting vulnerabilities in EDR agents and management consoles, to disable EDR protection, all the range till manual attacks with tailored malware techniques; on to social engineering and phishing to obtain legitimate credentials for EDR administration. Once the attackers deactivate or block an EDR agent the EDR becomes blind, or in other words: EDRs delivers data but only as long as its agents are running.

Another problem for an encompassing EDR is that in combined IT/OT environments in companies, or in organisations within the financial industry, protected systems are common, so EDR agents can’t be installed here.

Let’s look again on how the “storm” hackers attacked: It was a hack via Xlogs. Azure authentication logs that compromised the servers, with a concentration of data on Microsoft owns Azure public cloud. As monitoring and verifying authentication logs typically used for logging data, can be adapted, clustered and alerted in case of interferences, a machine learning cyber security system that recognizes anomalies, based on models of a normal and inconspicuous traffic could make a difference for future attacks.

Verifying already corrupted applications and their communication and recognizing the machine-learned irregularities is only possible with a machine learning, empowered Network Detection and Response (NDR) solution like ExeonTrace: it monitors the data traffic in the network using near machine learning and recognizes anomalies, based on models of the normal and inconspicuous network traffic.

Reduce the Hackers' Lead with Machine Learning (ML)

A dynamic NDR based on ML can find attacks without having already stored, known "indicators of compromise." It looks for and detects suspicious behaviour instead. It provides data from all switches, firewall-logs etc., and works without agents. This allows a more generic detection. For example, in case of an internal reconnaissance, where the attacker first “looks around” on what it can attack, or in case of a lateral movement detection when the attacker already moves in the network, also in all case of already compromised servers: an NDR detects and alerts, before malicious action goes deeper into the network. Before the communication takes place, the analyser notices it. Another example is the detection of a malicious command-and-control channel in the proxy log data.

Machine learning can distinguish between user activity and "non-user triggered" activity and filters each one out for detection. Other than detection tools that need to rely on known domains for signatures to respond, new and potentially malicious domains can be learned and detected by a machine learning NDR like ExeonTrace within only 24 hours.

How Does Machine Learning Work in NDR?

There are two types of machine learning: supervised and unsupervised. While supervised learning uses labelled input and output data, unsupervised learning algorithms do not label in advance.

• Either the algorithms are trained actively (supervised) or unsupervised, they learn in two dimensions: The first dimension, “time”, asking questions like: What does a Windows client normally do? what did it do in the past? (Learning out of a time curve) and what is it doing now? For example: “Why is this instance suddenly accessing admin logs?”.
• The second dimension: “space” compares the behaviour of each device with the ones in the network. Both is only possible over time and is not a momentary analysis.

ExeonTrace combines both algorithms, it looks for suspicious patterns - with unsupervised, as well as with supervised ML - through this, it compares both possible base lines to make the detection work most effective and NDR the perfect alarm system for networks. Also, ExeonTrace can hardly be manipulated, as it uses a combination of different (supervised and unsupervised) algorithms.

Even in an already compromised/infected network, where malware got in the network before, attacks can be made traceable with NDR. And in forensics, to see retrospectively if and in case what has happened, it can be seen via log data event, years after an intruder came into the system.

Let's Break the Asymmetry of Attackers Versus Defenders: Together!

Combining Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) technique can create a powerful defence strategy for cybersecurity and leverage machine learning: While NDR focuses on monitoring and analysing network traffic to detect and respond to suspicious activities especially on lateral movement and data exfiltration, Endpoint Detection and Response (EDR) concentrates on monitoring and securing individual endpoints (e.g., workstations, servers) by collecting and analysing endpoint data to identify and respond to malicious activities, such as endpoint compromise and file-based attacks.

Data sharing between NDR and EDR will enrich each other's data and provide more comprehensive insights into potential threats, for example, information about a suspicious network connection detected by NDR can trigger further investigation on the corresponding endpoint by the EDR system and vice versa Machine learning algorithms in both NDR and EDR systems help improve threat detection accuracy and reduce false positives. Machine learning can identify patterns and anomalies in network traffic and endpoint behavior that might be indicative of malicious activities. Also, machine learning models help established baseline behaviours for the network and endpoints. This enables the systems to detect abnormal activities that deviate from the established norms, making it easier to spot potential threats.

Conclusion

As sophisticated APT hackers try to gain access to organisations, proactive cybersecurity measures with Machine Learning-based Network Detection and Response (NDR) and a solid Endpoint Detection and Response (EDR) solution are essential for identifying and mitigating advanced threats and suspicious activities. In looking for proactive and dynamic cybersecurity defence that significantly enhances their ability to detect and mitigate threats effectively, machine Learning algorithms should be in the driver's seat for the detection of advanced threats and suspicious patterns. While automation can help in rapidly responding to identified threats, minimizing the dwelling time of attackers ML models can stay continuously updated with evolving threats and attack techniques and regularly retrained to stay relevant.

Schedule a session with our security experts and learn more about how ML-driven NDR solutions can safeguard your digital assets and protect your organisation from Advanced Persistent Threats. Busy? We only require 30 minutes of your valuable time to show you how ExeonTrace elevates your cybersecurity to the next level. Click here to start!