therecord.media
Open in
urlscan Pro
2606:4700::6812:1d78
Public Scan
URL:
https://therecord.media/microsoft-disputes-report-on-chinese-hacking
Submission: On July 24 via api from TR — Scanned from DE
Submission: On July 24 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * People * Technology * Mobile App * About * Podcast * Contact Go SUBSCRIBE TO THE RECORD Subscribe Image: Nothing Ahead via Pexels Jonathan GreigJuly 21st, 2023 * News * Nation-state * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. MICROSOFT DISPUTES REPORT THAT CHINESE HACKERS COULD HAVE ACCESSED SUITE OF PROGRAMS Microsoft is disputing a new report that claims hackers may have had access to more parts of victims’ systems than previously known in a campaign that targeted dozens of organizations, including government agencies. In the attacks, apparent Chinese hackers gained access to the emails of U.S. Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns and Daniel Kritenbrink, the assistant secretary of state for East Asia, ahead of their trip to China last month. To access the Outlook accounts, they used an inactive consumer signing key to forge authentication tokens for the multifactor authentication service Azure Active Directory. Researchers from security company Wiz published a report on Friday saying that in addition to accessing Outlook email accounts, the hackers could have used the key to forge access tokens for a variety of Azure programs, like SharePoint, Teams and OneDrive, as well as “customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions.” “Microsoft have said that Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique, but Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” they said. “The full impact of this incident is much larger than we initially understood it to be.” The researchers added that the incident will have “long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud.” The report goes on to examine how important consumer signing keys are to the Microsoft ecosystem and the range of actions that could be taken if they got into the wrong hands. The hackers could “have theoretically used the private key it acquired to forge tokens to authenticate as any user to any affected application that trusts” Microsoft’s certificates. While Microsoft has since revoked the compromised key, Wiz said the hackers may have leveraged the access they gained to establish persistence in a victim network. As researchers noted, Microsoft and several federal agencies are still investigating the incident, making it difficult to know how exactly other organizations can protect themselves from this kind of attack. There are several outstanding questions from the fiasco, including how and when the hackers got the key, and whether other keys were compromised. “At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” Wiz said. When asked about the report, a Microsoft spokesperson told Recorded Future News that customers should instead read the blogs it has published about the incident and focus on the indicators of compromise that they have provided. “Many of the claims made in this blog are speculative and not evidence-based,” the spokesperson said. “We’ve also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.” Wiz researchers expressed surprised at Microsoft’s response, telling Recorded Future News that their blog “was reviewed and validated” by the Microsoft Security Response Center team. “We collaborated with them on the blog and they helped ensure technical accuracy,” the Wiz spokesperson said. The Wiz post ends with a thank you to the Microsoft team for “working closely with us on this blog and helping us ensure it is technically accurate.” Keeper Security’s Zane Bond noted that while the technical concerns are warranted, the bigger concern is how knowledgeable and well-resourced the attackers were. “This threat actor knew they had valuable access, and therefore, used it as best they could in the time they had. Lateral movement to other services is one of the most common attacker tactics,” Bond said. “The cloud is a double edged sword and this event highlights some of both the advantages and disadvantages. Most of the time, it’s a great benefit, because the cloud provider can investigate and resolve these types of intrusions for their customers. However the downside is that a single breach can lead to multiple organizations being compromised, and the threat actor can pick and choose the most valuable targets and data once they are in.” While CISA has declined to attribute the hack to China, the State Department said last week that it has “no reason to doubt” Microsoft’s assessment that the attack was launched by hackers connected to China’s government. The Chinese Embassy forcefully denied any involvement in the incident in a statement to Reuters. * * * * * Tags * Microsoft * Azure * China JONATHAN GREIG Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. Previous articleNext article Open-source supply chain attacks expand to the banking sector Couple accused of laundering stolen Bitfinex cryptocurrency reaches plea deal * VirusTotal apologizes for accidental leak that exposed customer dataJuly 21st, 2023 * FTC, HHS warn health providers not to use tracking tech in websites, appsJuly 20th, 2023 * Apple accuses UK government of trying to become ‘global arbiter’ of encryptionJuly 20th, 2023 * Cyber assistance bills for agriculture sector gain bipartisan attention in SenateJuly 20th, 2023 * Russia’s Turla hackers target Ukraine’s defense with spywareJuly 19th, 2023 * BlackCat, Clop claim ransomware attack on cosmetics maker Estée LauderJuly 19th, 2023 * Cloudflare reports surge in sophisticated DDoS attacksJuly 19th, 2023 * Russian medical lab suspends some services after ransomware attackJuly 18th, 2023 * Legislators: HHS is failing to adequately protect health records from law enforcementJuly 18th, 2023 PUTIN’S POTENTIAL SUCCESSORS PART 2: ALEKSEY DYUMIN Putin’s Potential Successors Part 2: Aleksey Dyumin CHINA'S TARGETING OF INTERNATIONAL COMPANIES IN GEOPOLITICAL COMPETITION China's Targeting of International Companies in Geopolitical Competition THE ESCALATING GLOBAL RISK ENVIRONMENT FOR SUBMARINE CABLES The Escalating Global Risk Environment for Submarine Cables NORTH KOREA’S CYBER STRATEGY North Korea’s Cyber Strategy BLUEDELTA EXPLOITS UKRAINIAN GOVERNMENT ROUNDCUBE MAIL SERVERS TO SUPPORT ESPIONAGE ACTIVITIES BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities * * * * * Privacy Policy © Copyright 2023 | The Record from Recorded Future News