Hello and welcome to the Friday, July 14th, 2023 edition of the Sandinert Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Washington, D.C.

Well, first of all, thank you to everybody who attended my keynote here at Sands Fire earlier this week, either online or here in person.

Talked a little bit about, in a storm center and such.

We do have a great sort of follow-up diary to this from Jesse today, where he talks a little bit about the honeypot and how to manage some of the logs that it retains and how to basically get more

value out of this little Raspberry Pi or virtual machine honeypot. So check it out if you are

already or if you're planning to run our honeypot. And there was a lot of news, also some

confusion about a Chinese APT actor,

apparently gaining access to the Outlook 365 accounts of a number of different US federal

agencies.

The problem in this case was not a vulnerability per se as stated by a blog post from Microsoft

as well as a blog post from the cybersecurity infrastructure, security agency SISA.

This particular threat actor apparently got a hold of a signing key used by Microsoft.

How did he got a hold of it?

That's really the big, big question here,

whether it was leaked, stolen, purchased, or how they got to it.

But this signing key then allowed them to essentially authenticate as arbitrary users.

They use this access to access various sensitive email accounts and then exfiltrated emails. This was discovered about a month

ago, however apparently was going on for quite a while. This is one of those tricky events to figure

out and really detect because you do have someone using what looks like valid credentials. Apparently

these respective agencies did note the odd app ID being used in order to access these email accounts.

Microsoft mitigated this problem by now by invalidating this signing key that was used here.

...