Read: Transforming Back Office Operations with Intelligent Automation

The July 2023 OptionOne Cybersecurity Briefing

By OptionOne Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity News

Azure AD Token Forging Attack Extends Far Beyond Outlook

A recent attack against Microsoft’s email infrastructure by a Chinese state actor is said to have a broader scope than previously thought, The Hacker News reported. The actor is known as “Storm-0558.”

According to Wiz, a cloud security company, “The inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications,” the report said.

That means the attack could affect any application that supports personal account authentication. This includes OneDrive, SharePoint, and Teams—all applications that are widely used by both businesses and consumers.

Microsoft is still investigating how the actor managed to acquire the MSA consumer signing key. Wiz reported that “all Azure personal account v2.0 applications depend on a list of 8 public keys, and all Azure multi-tenant v2.0 applications with Microsoft account enabled depend on a list of 7 public keys.”

Wiz said that identity provider’s keys are “probably the most powerful secrets in the modern world.” With a key, an actor could potentially gain access to anything, including email inboxes, file services, and cloud accounts.

Millions of Azure Customers Impacted

DarkReading also commented on the story, saying the breach has widened to “millions of Azure AD apps.” Although Microsoft revoked the stolen key in July, the company doesn’t know whether the actor or actors made use of their broader access to compromise the millions of potentially susceptible systems.

That means some Azure AD customers “could potentially still be sitting ducks,” the report said.

Storm-0558 could have used its access to issue itself application-specific access keys, setting up backdoors. Any applications that retained copies of the compromised public keys before the revocation remain susceptible to token forgery.

Cybersecurity experts say the incident could impact the global business community’s trust in the cloud and the components that support it. Specifically, it implies that the identity layers that form the “basic fabric” of everything one does in the cloud are more susceptible than previously thought.

Hacktivist Group Targets Satellites and Infrastructure

The GhostSec “hacktivist” group is aiming at large targets including satellites, train infrastructure, and industrial control systems to “change the world,” Cybernews reported. Last spring, the self-described “cyber vigilante” group made headlines after penetrating Israeli industrial infrastructure and sabotaging 11 Global Navigation Satellite System (GNSS) devices. The group wiped the data collected from each satellite and disabled the recording of future data acquisition.

The group also claimed responsibility for breaking into 15 various Aegis-2 controllers, affecting the water pumps in Israeli hotel swimming pools.

According to a leader from the group, their attacks “have always been FOR the people not against them,” leaving Cybernews with the hashtag: “#FreePalestine.”

Last year, the group claimed responsibility for causing a massive explosion at the Gysinoozerskaya hydroelectric power plant in Russia after seizing control of the plant’s ICS (Industrial Control Systems). It was a powerful show of force, carried out to restrain Russian military advancement against Ukraine.

The news is causing experts to rethink security measures that protect key infrastructure, as well as satellites. It also demonstrates the growing capability of similar groups to deliver real-world consequences by breaching critical systems.

White House and Big Tech Make Commitments to Secure AI

Seven leading tech companies met at the White House on July 21st to create the first-ever commitment to sharing, testing, and developing safe and secure artificial intelligence, DarkReading reported. The commitments are voluntary and therefore non-enforceable, but they represent a significant step in efforts to regulate and rein in the potential ill effects of AI’s expanding capabilities.

The commitments revolve around the transparency of the information the companies and their AI products compile. Specifically, the companies made commitments to protect privacy, prevent bias, and implement a watermark system so public users are aware of what content is created by AI.

The meeting comes after 1,000 tech leaders sent an open letter to national leaders voicing their concern over the potential to humanity that AI poses.

Cybersecurity Updates

Zimbra Issues Critical Security Patch

Collaboration product Zimbra released a critical security patch this month to close a security hole that could impact the confidentiality and integrity of its data, Naked Security by Sophos reported.

The vulnerability, known as an XSS (cross-site scripting) bug, occurs when an innocuous click-through from one site to another gives the operator a chance to implant rogue JavaScript code into the original website. This, in turn, means that the original site could end up with access to an account on the second website.

At the time of the report, the company had patched the hole in its code, but the patch hadn’t yet been published. According to a July 17th report by The Register, users are still waiting for the patch, which should be published “later this month.”

DoJ to Shakeup Cybercrime Investigations

The US Department of Justice (DoJ) is doubling the size of its team for investigating cybercrime, Infosecurity Magazine reported. The department said that the fight against ransomware is now “an urgent priority.”

On July 20th, Principal Deputy Assistant Attorney General Nicole M. Argentieri announced the merger of the National Cryptocurrency Enforcement Team (NCET) into the Computer Crime and Intellectual Property Section (CCIPS). The move creates, “a single office that consolidates the Cimrinal Division’s expertise in all aspects of fighting cybercrime,” she said.

The team is also focusing heavily on tracking cryptocurrency, which is often used by cybercriminals for ransoms and other transactions.

The results of these efforts were made clear with the seizure of millions of dollars worth of cryptocurrency paid to the Darkside ransomware gang following its attack on Colonial Pipeline in 2021. In 2023, the DoJ announced the seizure of six cryptocurrency wallets believed to have been used in a money laundering scheme of investment fraud scams.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.