I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
In June 2023, Microsoft was the victim of a major cyberattack, revealing the existence of an advanced cyber threat that became known as Storm-0558. This attack shook the cybersecurity community, as it demonstrated new levels of hacking sophistication.
Believed to be orchestrated by a China-based threat actor, Storm-0558 targeted high-value Exchange Online mailboxes, leaving no stone unturned, including the compromised accounts of the U.S. Secretary of Commerce and the U.S. Ambassador to China.
This article investigates the details of the Storm-0558 cyberattack on Microsoft. We will examine where Storm-0558 originated from, what security vulnerabilities at Microsoft enabled it to breach their systems, and what steps Microsoft took to respond to and limit the damage caused by this threat.
Storm-0558 is more than just a cyber threat – it represents a significant paradigm shift in the realm of digital security. This is mostly due to the fact that it operates with espionage objectives, displaying a specific interest in diplomatic, economic, and legislative governing bodies in the U.S. and Europe.
The threat actor exhibited a high degree of technical prowess, employing tactics such as credential harvesting, and phishing campaigns. Also, the OAuth token attacks, where attackers exploit vulnerabilities to steal authentication and data.
Microsoft’s data breach: where the company failed
Microsoft, a global technology giant, found itself in deep trouble as it grappled with the fallout of Storm-0558.
An analysis by the company revealed critical security lapses that paved the way for the attackers. These included a system crash in 2021, leading to the exposure of a signing key, subsequent failures in detecting key data, flawed library updates, and developers relying on non-functional libraries.
The human factor also played a role, with developers assuming the library’s functionality aligned with its documentation.
Each of these lapses, as acknowledged by Microsoft, has since been addressed, but the specifics of the fixes remain undisclosed.
The initial compromise, the two-year undetected access by the threat actor, and the absence of comprehensive log data raise concerns about the efficacy of Microsoft’s internal security controls.
Microsoft responded with mitigation measures, including hardening key issuance systems, blocking key usage, and implementing defense mechanisms.
However, the lingering questions underscore the challenges inherent in defending against persistent and sophisticated cyber threats.
How to handle a cyber attack
The first step to recovering from a malware or ransomware attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).
To report a cyber attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with threat actors (if you have them)
- A sample of an encrypted file
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload (a software code or programs that execute unauthorized actions on a target system), might be reverse-engineered and lead to decryption of the data or understanding how it operates.
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
1. Contact your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with structured expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware and recover the files with your IT team, you can follow the next steps.
2. Identify the ransomware strain
Identifying which ransomware infected your machine can be done by checking the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key. You can also check the cyber threat type by its IOCs.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the cyber threat, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.
Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of cyber-attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.
Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent ransomware from attacking your network, contact our recovery experts 24/7.
Steps for cyber attack prevention
Storm-0558 serves as a stark reminder that cybersecurity is a collective responsibility.
Organizations, regardless of size, can take practical steps to fortify their defenses against such threats.
Implement multi-factor authentication (MFA) and conditional access policies:
In the world of online security, it’s crucial to have strong ways of making sure only the right people get access to important stuff, especially when dealing with threats like Storm-0558.
Multi-factor authentication (MFA) is like an extra shield, making users prove who they are using more than one way. This makes it harder for someone to sneak in without permission.
Conditional Access Policies are like extra rules we can set up. They help decide when someone can or can’t get into certain things. Checking and updating these rules regularly is important. It’s like adjusting the locks on our doors to make sure they still work against new tricks bad guys might try.
Optimize logging practices
Turning on special logs, like the one that keeps track of when someone looks at emails (MailItemsAccessed), gives you a heads-up if anything fishy is going on.
Regular reviews of logs are indispensable to identify patterns, anomalies, or any indicators of compromise. Continuous vigilance in log analysis enhances the capacity to detect and respond swiftly to potential security incidents. Organizations should invest in advanced log management solutions and allocate resources to ensure the thorough scrutiny of log data.
Monitor lateral movement
Lateral movement within a network is a common tactic employed by advanced cyber threats seeking to expand their influence. Organizations must establish and rigorously enforce security controls that monitor lateral movement to prevent unauthorized access.
These controls involve deploying intrusion detection systems, network segmentation, and behavior analytics to track the lateral progression of threat actors.
Implementing strict access controls ensures that only authorized personnel can navigate between different segments of the network.
Cyber security training
Cybersecurity training stands as a foundation for fortifying defenses against the ever-evolving landscape of cyber threats. Educating both individuals and organizations on critical practices, security protocols, and cutting-edge techniques, ensures the security of digital assets.
Awareness programs empower individuals to recognize and evade common cybercriminal tactics. Including phishing emails and social engineering, which manipulate human behavior to breach confidential information.
Basic security hygiene involves crucial practices, like robust password management, and software updates to patch vulnerabilities. Plus the implementation of multi-factor authentication for added security layers.
Technical training encompasses network and endpoint security, imparting knowledge about securing networks with firewalls, intrusion detection systems, and VPNs. It also includes securing individual devices against malware and unauthorized access.