The alleged theft of a Microsoft security key could have enabled spies linked to Beijing to breach more than just Outlook and Exchange Online email accounts.
In a shocking revelation that merits more attention, an internal private cryptographic key belonging to Microsoft – employed to sign access tokens for its online services digitally – was somehow procured by someone. The spies fabricated tokens using this key, granting them access to Microsoft customer email systems. This made it appear as if Microsoft had legitimately issued the tokens.
Possessing these valuable tokens, the believed China-based infiltrators gained access to US government officials’ Microsoft cloud email accounts, including US Commerce Secretary Gina Raimondo. A federal government agency detected the cyber intrusion and raised the alert.
How this potent private signing key was acquired remains a mystery to Microsoft. As far as we know, they still need to figure it out, or at least they still need to make it public. Microsoft has revoked that particular key. The spies are code-named Storm-0558.
The private key could have given access to more than just people’s Outlook and Exchange Online accounts, as we are told. Microsoft, however, disputes this assertion.
Furthermore, it applies to customer-owned applications that support the “login with Microsoft” feature and multi-tenant applications set up to use the “common” v2.0 keys endpoint as opposed to the “organizations” one. Applications using OpenID v1.0 remain secure.
While Microsoft invalidated the compromised encryption key and shared a list of indicators of compromise for those questioning if Storm-0558 also targeted them, Wiz contends it may be tough for Microsoft’s clientele to identify if crooks used forged tokens to extract data from their applications. Tamari attributes this to the need for more logs linked to token verification.
In a twist, Redmond agreed to give all customers free access to cloud security logs under pressure from the US government – a service typically reserved for premium clients – but only from September.
Microsoft reported the attack on July 11. The Azure giant stated then, and in a July 14 update, that the spies utilised counterfeit authentication tokens to breach email accounts of government agencies for espionage.
The Wall Street Journal reported on Thursday that Chinese spies also accessed the inboxes of the US ambassador to China, Nicholas Burns, and Daniel Kritenbrink, the assistant secretary of state for East Asia.
How the spies got the private encryption, key initially remains a puzzle. According to the Wiz security team, the China-based group appears to have secured one of several keys used for verifying Azure Active Directory (AAD) access tokens, enabling them to sign any OpenID v2.0 access token for personal accounts and both multi-tenant and personal-account AAD applications as Microsoft.
While Microsoft has decommissioned the compromised key, thus it can no longer be used to fabricate tokens and gain access to AAD applications; there’s a possibility that during earlier sessions, attackers might have utilized this access to install backdoors or establish persistence.
“A prominent example of this is how, before Microsoft’s intervention, Storm-0558 issued valid Exchange Online access tokens by forging access tokens for Outlook Web Access (OWA),” wrote Tamari.