Microsoft, Chinese APTs, and M365 Licensing Models

7–18–2023 (Tuesday)

Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Tuesday, July 18th, and we just didn’t get to this video on Monday. But we’re here now, and we’re not going to talk about MOVEit. Instead, we’re going to talk about a sophisticated attack against Microsoft’s cloud email service and unpack the implications a bit.

The Storm at Microsoft

So, let’s start with what happened - or at least what we think we know happened. Ars Technica’s Dan Goodin reports:

“Microsoft’s Threat Intelligence team said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion.”

About 25 organizations were impacted, “including the US Departments of State and Commerce and other sensitive organizations.”

The hackers appear to have had access to these accounts for a month, and were only discovered when “detected in mid-June by a US government agency.”

Microsoft has been particularly obtuse about the root cause here, with multiple articles noting how they’re avoiding using language like “vulnerability” or “zero-day.” Some researchers are speculating that there were at least three flaws exploited by the attackers here, but without more from Microsoft, we’re merely guessing.

Folks in DC are starting to worry, with Axios reporting that “officials still have ‘significant questions regarding how this occurred that the U.S. government is pressing Microsoft to answer.’”

Senator Ron Wyden, out front on cyber issues for a while now, criticized Microsoft for their licensing model, which hinders users from accessing detailed audit logs without a significantly more expensive license:

U.S. Senator Ron Wyden said Microsoft should offer all its customers full forensic capabilities, saying that "charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags."

Across the pond, our friends at the UK’s Intelligence and Security Committee of Parliament just put China on blast for its "highly effective cyber espionage capability" and its ability to penetrate a diverse range of foreign government and private sector IT systems.

The 207 page report outlines how Chinese government hackers are “frequently” targeting MPs - in similar ways to the attack against Microsoft.

But we’re not Microsoft and we’re not US Government Agencies (even though some of us *ahem* spent the better part of a decade with that USG hat on), so what does this story mean for the businesses that we’re buying and running?   

A couple of things to consider:

  • First: Many of us are using Microsoft for email, and were - in theory - vulnerable to the same attacks used here. But, if those flaws (read: vulnerabilities) have been patched, we’re also now benefiting from the relatively quick response and remediation efforts. While there’s a lot of noise in reporting here, the truth is that the technical response run by Microsoft here is still likely better than any of us could’ve done, and we need to compare our capabilities to the vendor we’re choosing - not to some ideal state that exists only in a security framework or piece of model data legislation.

  • Second: while Microsoft has been light on details, the attackers certainly know how they exploited this system. They’ll likely continue to look for similar exploits in other systems and continue to evolve this attack chain in Microsoft’s systems. By obfuscating root cause, Microsoft is preventing the rest of the industry from being able to find, forecast, and fix these flaws (or similar) in their own systems.

    While there is certainly an argument to made about disclosing TTPs as an enabler for less-skilled attackers, that’s already possible (and, in many scenarios, likely) from the attacker’s side - they would love nothing more than to muddy the waters and make attribution more difficult once their initial zero-day advantage has been burned. The only teams losing in this dynamic are the blue teams in charge of defending our systems.

  • Finally: visibility matters. Let’s not forget here that this activity wasn’t detected by Microsoft. It was detected by a customer (State, if you believe the reporting). And this customer had not only the enhanced visibility licensing but also a keen eye to notice that a particular AppID did not normally access mailbox items in their environment. Without that, we’d still have Chinese hackers in these systems. While the expectation isn’t that your portcos run a ship this tight, it is another reason why understanding the baseline behavior in your environment can help identify anomalies - and you never know what you’re going to find once you start pulling on those sort of threads.

The Joint Cybersecurity Advisory put out by the FBI and CISA has a few more details, including explicit suggestions that higher level E5 licenses are utilized to enable enhanced monitoring and logging. Just a reminder that these licenses currently cost $57 per user, per month.

If Senator Wyden gets his way, this capability will become more widely available, but until then, it is not a bad idea to consider ponying up for the E5. It’s only $21 more per month than the base E3 license, and offers significant value.

Fundraising

A bang up week of fund raising, with over $32.5B in newly committed capital across nearly two dozen funds. We had 4 funds over $4B this week alone, which indicates that the liquidity funnel may be flowing once again from the bottom, and putting that capital back to work at the top.

You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.

Links

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

https://arstechnica.com/security/2023/07/microsoft-takes-pains-to-obscure-role-in-0-days-that-caused-email-breach/

https://www.wired.com/story/microsoft-cloud-attack-china-hackers/

https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html

https://www.reuters.com/technology/microsoft-under-fire-after-hacks-us-state-commerce-departments-2023-07-13/

https://therecord.media/china-hacking-uk-members-parliament

https://www.ic3.gov/Media/News/2023/230712.pdf

Previous
Previous

Microsoft vs. PR/C

Next
Next

When Does An Incident End?