Detecting Storm-0558 using Corelight evidence

August 1, 2023 by Chris Brown

While there have been many intrusions, compromises, breaches, and incidents that have made news in the IT and InfoSec industries throughout 2022 and into this year, when events or threats like Storm-0558 gain coverage by mainstream media, we often get questions about Corelight’s ability to detect threats through our sensors, products & platform.

Based on current and ongoing developments with “Storm-0558,” we wanted to highlight various Corelight data that would be prime hunting grounds or Cyber Adversarial Pursuit resources for SOC Teams and Incident Responders that our customers can leverage to detect & analyze activity relating to “Storm-0558”. The techniques to identify these indicators could include using Zeek via script detections, Suricata via IDS signatures, rules created for SmartPCAP, or through threat hunting tasks and missions with Corelight logs integrated across various SIEM Platforms and threat investigation platforms.

What is “Storm-0558”?

In a nutshell, it's a cyber threat orchestrated by a China-based actor. This actor uses forged authentication tokens to target various organizations, predominantly focusing on the US and European governmental, military, and federal email accounts. The attack vectors primarily involve Exchange servers, OWA, and cloud-based email systems like Office 365, impacting authentication resources, such as Active Directory and Azure Directory services.

Two of the best resources to reference for a deeper dive into Storm-0558 - are these write-ups by Microsoft:

https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

Why are we blogging about this threat actor?

While cyber espionage and targeting of email systems using forged tokens for authentication (or other methods of going after various applications & systems authentication resources) is nothing new, this threat actor's tooling & indicators of compromise have multiple types of indicators that are specifically NDR/Network related.

This threat actor utilizes a specific VPN known as the SoftEther VPN. Fortunately, our Encrypted Traffic Collection’s VPN Inferences package can detect and log this. Additionally, the IP addresses used by the threat actor would appear across various Zeek and Suricata-related logs. Therefore, it's crucial to act now - create Zeek-scripted detections and write custom Suricata IDS signatures that you can deploy on your Corelight Sensor platforms.

Which logs would contain Storm-0558 Indicators?

The conn.log will contain IPs Microsoft has observed in use during the campaign (see the “Indicators of compromise” section), which goes back to March and April of this year but has been observed at various victim organizations as recently as June, July, and August of 2023. Those IPs and other IOCs from Microsoft can also be dropped into the Intel framework for immediate alerting.

The http.log will contain hostnames that have been related to the threat actor’s traffic from victim organizations as well as a specific set of user-agent strings that are known to be associated with the SoftEther VPN.

The http.log and files.log will have two specific SHA-1 hashes that are associated with authentication pages that contain a URI of /#/login.

The x509.log and ssl.log will contain a specific certificate expiration date that has been observed as December 31, 2037.

Since Microsoft started blocking and replacing keys used to prevent this threat actor from leveraging forged tokens in June/July 2023, why is NDR detection capability needed?

Due to the amount of detectable noise and indicators this threat actor generates in network traffic, it’s relatively easy for Corelight sensors to generate events in Zeek’s notice.log and generate Suricata alerts when signature conditions are created from well-documented indicators of compromise.

It’s more about detection of a targeted threat actor that’s present in your network (regardless of whether their exploits and vulnerabilities have been mitigated by Microsoft) and may decide to use more recent or non-documented exploits & tactics that every organization should be on the lookout for.

How can I learn more?

In Corelight Customer Success Training, we often refer to seminal incidents, compromises, intrusions, and breaches that most of our customers have either heard of or may have first-hand experience in detecting, defending, and protecting against the same or similar threat actors. Periodically we update our courseware to include specific filters, queries, and recommendations for detecting these threats in our Use Case for Incident Response & Use Case for Threat Hunting modules (included with our 3-day training).

If you want more information, Corelight Training has 3-day courses and a 1 day course for writing Scripts & leveraging Corelight’s Event Management & Log Management framework. We also have a 1-day SmartPCAP course covering the skills necessary to translate cyber threats and intel reports into NDR indicators of compromise & operations or attacks into Rules that will trigger Smart Packet Captures.

You can work with your Corelight Sales Team to inquire about those courses, or if you’d like to register for our free On Demand Foundational 4-hour recorded course, please talk to your Corelight Rep.