The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have issued a joint Cybersecurity Advisory regarding a cyberespionage campaign originating from China. The campaign specifically targets government officials and organizations, particularly those operating critical infrastructure. The advisory emphasizes the need for increased monitoring and logging of activity surrounding Microsoft Exchange Online environments.
Microsoft had previously described the campaign in a blog post, revealing that the threat actor had compromised email accounts at approximately 25 organizations. The actor was able to access these accounts by using forged authentication tokens and an acquired Microsoft account consumer signing key. The US Commerce and State Departments were among the agencies affected, including the email account of US Commerce Secretary Gina Raimondo. The hacks occurred just before US Secretary of State Antony Blinken’s trip to Beijing last month, raising concerns about potential diplomatic implications.
Industry experts have commented on the incident, offering insights and recommendations. Ashley Leonard, Syxsense Founder & CEO, highlighted the severity of the vulnerability (CVE-2023-36884) associated with the attacks and stressed the importance of addressing the security gap immediately. Leonard explained that while there is currently no simple patch for the vulnerability, organizations can utilize countermeasures such as blocking Office applications from creating child processes and updating registry keys. This can be accomplished through unified security and endpoint management solutions.
Snehal Antani, CEO and Co-Founder of Horizon3.ai, raised an important point about the motive behind the cyberespionage campaign. Antani questioned whether the objective was to gain access to credentials for one online account and then use those credentials to access other accounts. Another possibility raised by Antani is password spraying, which involves reusing usernames without knowing the password and attempting to log in to other systems using commonly used passwords. Antani emphasized that the incident highlights the long-term risks associated with such compromises.
Mark Lance, VP of DFIR at GuidePoint Security, discussed the nature of Advanced Persistent Threats (APTs) and their motivation to gather information rather than financial gain. Lance urged organizations to develop an understanding of APTs and address the associated risks accordingly.
Erich Kron, Security Awareness Advocate at KnowBe4, stressed the dangers of attackers gaining control of legitimate email accounts. He explained that compromised accounts can be used to reset passwords and gain access to other platforms, as well as to restart email threads and deceive victims. Kron recommended enabling multi-factor authentication on email accounts and reporting any suspicious email activity.
Willy Leichter, VP at Cyware, acknowledged that attacks like these are likely to continue as vulnerabilities are inevitable. He praised the actions taken by Microsoft to address the issue, despite the time it took to resolve the problem. Leichter also highlighted the ongoing tensions with China and the need to protect research, development, and government data from state-sponsored threats.
In conclusion, the recent cyberespionage campaign originating from China and targeting government officials highlights the need for organizations, especially those operating critical infrastructure, to enhance their monitoring and logging of Microsoft Exchange Online environments. The severity of the vulnerability exploited in the attacks emphasizes the urgency of addressing the security gap. Industry experts have offered recommendations to mitigate the risks associated with such campaigns, including the use of countermeasures, multi-factor authentication, and reporting suspicious activity. The incident serves as a reminder of the ongoing threat posed by APTs and the importance of understanding and addressing these risks.