Image: Tadas Sar (unsplash)
Microsoft reported that the Storm-0558 group of hackers, originating from China, obtained a signing key from a Windows crash dump after infiltrating a Microsoft engineer’s corporate account.
The unauthorized individuals utilized the pilfered MSA key to infringe upon the Exchange Online and Azure Active Directory (AD) accounts belonging to approximately two dozen entities. Some of these organizations included government departments in the United States, such as the U.S. State and Commerce Departments.
The hackers took advantage of a since-mended zero-day validation glitch in the GetAccessTokenForResourceAPI. This flaw allowed them to create falsely signed access tokens and mimic accounts within the affected institutions.
During Microsoft’s deep dive into the Storm-0558 intrusion, it was discovered that the MSA key found its way into a crash dump when a consumer signing system malfunctioned in April 2021. A series of unintended events led to the key’s inclusion in the crash dump, even though it should have been excluded. This specific dump was subsequently transferred from Microsoft’s protected production network to a more vulnerable, internet-linked corporate debugging ecosystem.
The malicious actors located the key following a successful breach of a Microsoft engineer’s corporate account. This account held the privilege to access the debugging environment where the key had been mistakenly included in the April 2021 crash dump.
Microsoft, in their statement, expressed that while definitive logs were unavailable due to retention policies, this was the most plausible method through which the hackers got the key. They also admitted that their credential monitoring tools failed to identify the key’s presence initially, but this oversight has since been rectified.
Contrary to Microsoft’s initial claim in July, which stated only specific services were affected, Wiz security expert Shir Tamari clarified that the breached Microsoft consumer signing key granted Storm-0558 vast reach across Microsoft cloud platforms.
Tamari emphasized that this key holds the power to mimic any account in any compromised client or cloud-based Microsoft application. This potential breach not only extended to flagship Microsoft apps but also to client applications that adopted Microsoft Account authentication.
Highlighting the gravity of the situation, Wiz CTO Ami Luttwak stated the sheer extent of what an attacker possessing an AAD signing key could accomplish, terming it the pinnacle of cyber capabilities.
Further information by Tamari revealed that the certificate of the aforementioned key was valid from April 5th, 2016, to April 4th, 2021.
Microsoft later clarified that the jeopardized key could exclusively target apps that catered to personal accounts and bore the validation glitch leveraged by the hackers.
As a protective measure, Microsoft invalidated all legitimate MSA signing keys. This action not only blocked access to other vulnerable keys but also stopped any further attempts to create new tokens. Microsoft also shifted the recently crafted tokens to a secure key store associated with its business-grade systems.
After invalidating the compromised key, Microsoft detected no further unauthorized account breaches utilizing the same token forging method.
Moreover, under the guidance of CISA, Microsoft has extended free access to cloud logging information. This move aims to bolster network defenses against similar future breaches. Previously, such advanced logging tools were exclusive to premium subscribers, leading to criticism for potentially hindering the prompt detection of Storm-0558’s actions.