Microsoft said in a blog post published late yesterday that hackers linked to China, dubbed Storm-0558, broke into email accounts at approximately 25 organizations, including some U.S. government agencies, and hit consumer accounts as part of a suspected cyber-espionage campaign to access data in sensitive computer networks.
The hackers took advantage of a security weakness in Microsoft’s cloud-computing environment gaining access to victims’ email by forging digital tokens beginning on May 15 and operated in stealth for more than a month, until June 16, when Microsoft began its investigation and mitigated the situation.
“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold,” Adam Hodge, spokesman for the White House National Security Council, said.
The full scope and severity of the incident, and which institutions and individuals were hacked, are currently not available.
Willy Leichter, VP, Cyware had this comment:
“Attacks like this will continue to grow in frequency, as vulnerabilities are inevitable, and many well-funded hacking groups are always looking to exploit them. The critical test is how quickly organizations like Microsoft react and take definitive action to stop the spread. In this case, 3+ weeks from the problem being reported to being fixed is well above industry average, but still leaves a large window of exposure. But compared to SolarWinds (which was exploited for months), we’re making progress.”
It’s clear from attacks like this one that nation states with hostile intent are coming for you and your infrastructure. Thus you need to ensure that your defences are in place to either stop them, or at least quickly detect them so that you can take the required action to stop them.
UPDATE: Snehal Antani, CEO and Co-Founder of Horizon3.ai adds this:
“With everyone pointing fingers at Microsoft, there actually is a bigger concern. When thinking about credential stuffing, this attack is used to first gain access to credentials for one online account, and then use those same credentials to access other online accounts. Was that the motive?
“In terms of password spraying, this attack is focused on reusing a username without knowing the password. Attackers then try commonly used passwords to log in to other systems. Maybe this was the motive? Either way, the key takeaway is that there is now a long tail of risk that exists for all victims of the compromise which could extend for quite a long period of time.”
Related
This entry was posted on July 12, 2023 at 12:08 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Attacked By Hackers Linked To China In Cyber Espionage Campaign
Microsoft said in a blog post published late yesterday that hackers linked to China, dubbed Storm-0558, broke into email accounts at approximately 25 organizations, including some U.S. government agencies, and hit consumer accounts as part of a suspected cyber-espionage campaign to access data in sensitive computer networks.
The hackers took advantage of a security weakness in Microsoft’s cloud-computing environment gaining access to victims’ email by forging digital tokens beginning on May 15 and operated in stealth for more than a month, until June 16, when Microsoft began its investigation and mitigated the situation.
“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold,” Adam Hodge, spokesman for the White House National Security Council, said.
The full scope and severity of the incident, and which institutions and individuals were hacked, are currently not available.
Willy Leichter, VP, Cyware had this comment:
“Attacks like this will continue to grow in frequency, as vulnerabilities are inevitable, and many well-funded hacking groups are always looking to exploit them. The critical test is how quickly organizations like Microsoft react and take definitive action to stop the spread. In this case, 3+ weeks from the problem being reported to being fixed is well above industry average, but still leaves a large window of exposure. But compared to SolarWinds (which was exploited for months), we’re making progress.”
It’s clear from attacks like this one that nation states with hostile intent are coming for you and your infrastructure. Thus you need to ensure that your defences are in place to either stop them, or at least quickly detect them so that you can take the required action to stop them.
UPDATE: Snehal Antani, CEO and Co-Founder of Horizon3.ai adds this:
“With everyone pointing fingers at Microsoft, there actually is a bigger concern. When thinking about credential stuffing, this attack is used to first gain access to credentials for one online account, and then use those same credentials to access other online accounts. Was that the motive?
“In terms of password spraying, this attack is focused on reusing a username without knowing the password. Attackers then try commonly used passwords to log in to other systems. Maybe this was the motive? Either way, the key takeaway is that there is now a long tail of risk that exists for all victims of the compromise which could extend for quite a long period of time.”
Share this:
Like this:
Related
This entry was posted on July 12, 2023 at 12:08 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.