The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts

The DHS’s CSRB will review cloud security practices following recent hacks of Microsoft Exchange accounts used by US govt agencies.

The US DHS announced that the Cyber Safety Review Board (CSRB) will review the security measure to protect cloud computing environments following the recent compromise of Microsoft Exchange accounts used by US govt agencies.

“The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The Department began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July. The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves.” reads the Press Release published by DHS. “Once concluded, the report will be transmitted to President Joseph R. Biden, Jr. through Secretary Mayorkas and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.” 

The Cyber Safety Review Board (CSRB) is an independent, non-partisan board established by the Department of Homeland Security (DHS) in accordance with Executive Order 14028 on Improving the Nation’s Cybersecurity. The CSRB’s mission is to review significant cyber events and ecosystem vulnerabilities and make recommendations based on the lessons learned.

The CSRB is composed of 12 members, including 6 government officials and 6 private-sector representatives. The Chair of the CSRB is the Under Secretary for Policy at DHS.

The CSRB has the following authorities:

• To review significant cyber events and ecosystem vulnerabilities.
• To make recommendations to improve the nation’s cybersecurity.
• To hold public hearings and receive public comments.
• To protect sensitive information, consistent with applicable law.

In Mid-June a malicious email activity was reported by an unnamed US Federal Civilian Executive Branch (FCEB) agency. Microsoft experts who investigated the suspicious activity discovered that China-linked threat actors have targeted the agency as part of a cyberespionage campaign targeting two dozen organizations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023 published a joint advisory to warn organizations and allow them to enhance organizational cybersecurity posture and position organizations to detect similar malicious activity via implementing the listed logging recommendations.

“In June 2023, a Federal Civilian Executive Branch (FCEB) agency observed unexpected events in Microsoft 365 (M365) audit logs. After reporting the incident to Microsoft, network defenders deemed the activity malicious.” reads the advisory published by US CISA. 

According to the Washington Post, the Chinese cyberspies breached the U.S. State Department email system. The threat actors also targeted the Commerce Department, a congressional staffer, a U.S. human rights advocate, and U.S. think tanks.

“Chinese cyberspies, exploiting a fundamental gap in Microsoft’s cloud, hacked email accounts at the Commerce and State departments, including that of Commerce Secretary Gina Raimondo — whose agency has imposed stiff export controls on Chinese technologies that Beijing has denounced as a malicious attempt to suppress its companies.” reported the Washington Post. “Raimondo is the only known Cabinet-level official to have their account compromised in the targeted cyberespionage campaign, according to U.S. officials familiar with the matter, who spoke on the condition of anonymity due to the matter’s sensitivity.”

US CISA urges organizations to enable audit logging, enable Purview Audit (Premium) logging, ensure logs are searchable by operators, enable Microsoft 365 Unified Audit Logging (UAL), and understand the organization’s cloud baseline.

Microsoft announced this week it has mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. 

Now Secretary of Homeland Security Alejandro N. Mayorkas highlighted the importance to secure cloud computing environments.

“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure. In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one. Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience.”  

The CSRB has issued two reports to date, one on the activities of the cybercriminal group Lapsus$ and one on the malicious targeting of cloud computing environments.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)