The Power of Audit Logs: Critical Lessons from the Recent Storm-0558 Threat
Published 08/23/2023
Originally published by Obsidian Security on July 25, 2023.
Earlier this month, Microsoft and CISA reported the discovery of a recent advanced persistent threat (APT), Storm-0558, which gained access to Exchange and harvested corporate emails. The threat actor group responsible managed to gain access to exchange data via Outlook Web Access (OWA) API, using an access token obtained by exploiting vulnerabilities in the Microsoft ecosystem related to token exchange and signature validation. They started with a stolen authentication key created for a different purpose.
How was it detected?
What’s interesting about this breach scenario is what led to the investigation and eventual discovery of the sophisticated threat. Although Microsoft ultimately found the APT, it was a Microsoft customer who first alerted on and investigated anomalous events of MailItemsAccessed through the Microsoft audit log.
When it comes to sophisticated attacks such as this, people often assume that they primarily leverage 0-day vulnerabilities, making them near impossible to defend against. Discovering a 0-day exploit is challenging, but it isn’t the only way to detect an APT. Bad actors seldom carry out an entire attack chain using only 0-days (via server-side RCE or SQLI, etc.). To reduce cost and effort, they will likely return to the standard service path at some point. Inevitably, this leaves a trace of activity at the application level, making it far less difficult to detect the threat.
To help visualize this, imagine a thief breaking into your home using a key mold to unlock your front door. You have no way of knowing where or when they obtained this mold. Regardless, the security camera flags and tracks the activity the moment they step foot on your property. You are alerted once they attempt to open your door.
The same was true for this incident. After exploiting a few 0-day vulnerabilities, the threat actors eventually returned to the standard service path, OWA API, leaving MailItemsAccessed records in audit logs that eventually found them out.
How to harness audit log intel at scale
In this particular example, the audit log showed signs of anomalous activity and suspicious events that were then linked to key validation and token exchange exploits after an internal investigation of Microsoft. The logs could have just as easily hinted at other vulnerabilities that lead to identity theft such as XSS. With constant monitoring and assessment in place, audit logs can provide a powerful source of information for your threat detection and investigation efforts.
Related Articles:
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024
Threats in Transit: Cyberattacks Disrupting the Transportation Industry
Published: 12/17/2024
Achieving Cyber Resilience with Managed Detection and Response
Published: 12/13/2024