- Chinese hackers known as Storm-0558 stole a Microsoft signing key.
- They used the stolen key to break into a Government account through a Windows crash dump.
- The hackers found the key by infecting a company engineer’s corporate account.
In April, Chinese hackers named Storm-0558 stole a Microsoft signing Key & used that key to break into the Government account from the Windows crash dump after the hacker infected a Microsoft engineer’s cooperate account.
With this, the hackers used the Microsoft key to break into the Azure Active Directory & Exchange Online of several government organizations in the United States. Also, the hackers utilized the zero-day issue in GetAcessTokenForResourceAPI, which authorized the hackers to make signed access tokens & imitate accounts in the targeted organizations
Microsoft said that it found that the MSA key was leaked into a crash dump as the consumer signing system crashed earlier this year.
However, the crash dump should not have included the MSI key, though a race situation led to the MSI key being added. The crash dump was then later transferred from Microsoft’s isolated production network to the company’s internet-connected corporate debugging space.
As mentioned above, the hackers found the MSI key by infecting the company engineer’s corporate account, which had access to the debugging domain carrying the key mistakenly in the crash dump earlier this year
Furthermore, the company added due to the log retention policies, they do not have a log with specific evidence of the exfiltration by the hacker, though this was the most probable method by which the threat actor got the key. In addition to this, our credential scanning does not detect its presence, which means the issue has been fixed.
That being said, when the company revealed the incident in July, only Outlook and Exchange Online were impacted. However, security researcher Shir Tamari said the infected Microsoft consumer signing key gave the hackers extensive access to Microsoft’s Cloud services.
The security researcher said that the key can be used to imitate any account within any infected customer or any cloud-based application and managed apps Sharepoint, Outlook, and Team & including those apps that allow login with Microsoft function & those that support Microsoft Authentication.
Ami Luttwak, C0-founder of the Wiz, mentioned that Everything in the world of Microsoft takes advantage of Azure Active Directory Authentication tokens for access. The old public key certificate reveals that it was issued in April 2015 and expired in April 2021.
Security firm Redmond further added that the compromised security key could only be used to target apps that accepted personal accounts and had the validation error utilized by the Storm-0558.
Now, responding to the security breach, the company repelled all the valid MSI signing keys to prevent the attackers from getting access to any of the compromised keys.
This not only further blocks any more attempts to make new access tokens. Not only this, the company also moved the recently created access tokens to the key store used by the enterprise machines.
Since repealing the stolen keys, Microsoft has not found any more proof of unauthorized access to the customer accounts that employ the same authenticating token forging method.
Moreover, when coerced by the CISA, the company also agreed to increase access to cloud logging data for free to help the defenders detect the same kind of break-in attempts moving forward.