Chinese APT targets Exchange.
By Tim Nodar, CyberWire senior staff writer.
Jul 13, 2023

CISA and the FBI issue an advisory with technical details, and urge organizations to increase their monitoring of Microsoft Exchange Online environments.

Chinese APT targets Exchange.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory regarding a Chinese cyberespionage campaign that’s targeting government officials. The advisory urges organizations, especially those operating critical infrastructure, to step up their monitoring and logging of activity surrounding Microsoft Exchange Online environments. Microsoft described the campaign in a blog post earlier this week, noting that the threat actor compromised email accounts at approximately 25 organizations “by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.”

Commerce and State were particularly affected.

The Washinton Post reports that the campaign targeted the US Commerce and State Departments, and an email account belonging to US Commerce Secretary Gina Raimondo was compromised. The Associated Press notes that the hacks occurred just before US Secretary of State Antony Blinken’s trip to Beijing last month. The State Department appears to have been the first agency to recognize the suspicious activity.

Industry comments about the incident.

Ashley Leonard, Syxsense Founder & CEO, provided some context for the incident. "The recent Storm-0978 attacks on defense and government entities in Europe and North America abuses CVE-2023-36884, a Microsoft Office and Windows HTML Remote Code Execution Vulnerability. As with any vulnerabilities that enable or allow for remote code execution, this vulnerability has a high severity score” Leonard wrote. “What makes it more urgent is that Microsoft has seen the exploitation of this vulnerability in the wild with Storm-0978. This hacker group has essentially opened up a backdoor to create and send a specially crafted Microsoft Office document that, when opened, enables them to steal credentials to be used in other targeted operations. This vulnerability should be taken very seriously, and organizations should work to close that security gap immediately."

Remediation won’t be entirely simple or straightforward, Leonard believes. "Unfortunately, there is no simple patch at the moment for CVE-2023-36844. A countermeasure to remediate the vulnerability is to block all Office applications from creating child processes and update registry keys to avoid exploitation. For those utilizing unified security and endpoint management solutions, you should be able to utilize a workflow countermeasure immediately to accomplish this. For example, Syxsense rolled out a new security script and workflow that our customers can use to scan for the vulnerability, identify impacted endpoints, and remediate the threat immediately. However, it’s still important to note that updating registry settings could affect regular functionality for certain use cases related to these applications. And Microsoft also recommends turning on cloud-delivered protection in Microsoft Defender Antivirus, as Microsoft Defender can help protect organizations against this zero-day." 

Snehal Antani, CEO and Co-Founder of Horizon3.ai, cautions against framing the incident as a Microsoft problem. “With everyone pointing fingers at Microsoft, there actually is a bigger concern. When thinking about credential stuffing, this attack is used to first gain access to credentials for one online account, and then use those same credentials to access other online accounts,” Antani wrote, and then asked, ”Was that the motive?” Password spraying represents another possibiltiy. “In terms of password spraying, this attack is focused on reusing a username without knowing the password. Attackers then try commonly used passwords to log in to other systems. Maybe this was the motive? Either way, the key takeaway is that there is now a long tail of risk that exists for all victims of the compromise which could extend for quite a long period of time.”

Mark Lance, VP of DFIR at GuidePoint Security, urges organizations to develop an understanding of APTs. These nation-state threat actors are sophisticated and dispose of significant resources. "Over the past couple years, the prevalence of more widely encountered threats such ransomware, which impacts a wide variety of customers across all industry verticals, shapes, and sizes, has definitely outweighed focus on Advanced Persistent Threats (APT),” Lance wrote. “Per its acronym, Advanced Persistent Threats, or APT, are typically much more sophisticated and targeted in nature, with a motivation of gathering information, as opposed to the more common cybercriminal or opportunistic threats, which are monetarily motivated. These APT groups are typically state-sponsored, and have a tendency to target industries, organizations, and individuals, with the attempt to gather sensitive information. This could include anything from trying to access emails for government officials to collect classified information about any relevant topic, to theft of Intellectual Property from a manufacturer, because it costs them less to steal the results of others' Research & Development efforts versus performing their own. Again, these types of targeted intrusions have been a perpetual risk for decades, but don't garner the same level of attention publicly, since they're a risk or impact a much smaller list of companies. That said, they've always been around, customers should understand their risk profiles, what types of threats (such as APT) are higher risks for their organizations, and have to address them accordingly, because they haven't and won't be going anywhere."

Erich Kron, Security Awareness Advocate at KnowBe4, noted the opportunities email presents attackers. "Controlling access to legitimate email accounts is one of the more dangerous tools that bad actors can have in their toolbox,” Kron wrote. “Not only do many of us use our email accounts to reset passwords, potentially to platforms these bad actors would like to access, but there are also conversations that have taken place that can be used to attempt to steal information or take actions. It's not unusual to see a bad actor restart an email thread, or take an active role in email discussions through the compromised account, using the trust built through previous interactions to victimize people.” 

And a great deal of valuable information passes over email, Kron adds. "Email is also the source of a lot of potentially sensitive information that is shared within an organization. People tend to trust internal organizationally managed email systems to have conversations about sensitive topics, something that they would not do using a commercial email platform such as Gmail or Hotmail.

There are some sound practices that can help. "Generally speaking,” Kron recommends, “it is a good idea to enable multi-factor authentication on email accounts to help protect against account takeover through stolen credentials or easily guessed passwords. In this case, because they are using forged tokens, protections may be limited by MFA. It is very important that users report potential email oddities, such as receiving a notification of an e-mail received, but having it missing from the inbox, as that may be a sign of a bad actor communicating with someone else, then trying to cover their tracks."

Willy Leichter, VP, Cyware, expects more of the same to come, but also thinks organizations are making progress in defending themselves. “Attacks like this will continue to grow in frequency, as vulnerabilities are inevitable, and many well-funded hacking groups are always looking to exploit them. The critical test is how quickly organizations like Microsoft react and take definitive action to stop the spread. In this case, 3+ weeks from the problem being reported to being fixed is well above industry average, but still leaves a large window of exposure. But compared to SolarWinds (which was exploited for months), we're making progress.”

(Added, 4:30 PM ET, July 23rd, 2023. Dan Schiappa, Chief Product Officer at Arctic Wolf, regrets that the incident is unlikely to be the last of its kind. “Unfortunately, Microsoft’s findings aren’t surprising, and this won’t be the last news-making story of this nature. In the security community, we’ve been warning of a surge in Chinese state-sponsored activity for a while now, as both the domestic and geopolitical tensions with China continue to rise. Chinese threat activity is not financially motivated, it is focused on spycraft, which lends itself to long-term, undetected attacks. It’s important to look at the big picture of this incident, with the backdrop of the current technology race between China and the US, particularly with the rise of AI. It’s critical that research, development, and government data are protected from prying eyes, as AI becomes the new battlefield for the tech cold war," Schiappa wrote. He added that, while conventional criminal gangs are probably the biggest threat to US businesses, the threat to supply chains that APTs represent can't be overlooked, either. "Although the average American business should likely be more concerned about financially motivated ransomware gangs like Clop, it’s important to remember the ever-present issue of supply chain attacks, and these more long-term plays from China. For businesses with any government contracts or relationships with those that are involved with bleeding-edge technology research or military-grade operations, an unassuming third party vendor could be the vehicle of intrusion and intelligence gathering. Patching even the smallest vulnerability and enforcing a culture of security across all users, particularly as forged authentication tokens and stolen credentials run rampant on the dark web, can be the difference between an incident and a close call.”)