Microsoft says Storm-0558 Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer’s corporate account.
The attackers used the stolen MSA key to breach the Exchange Online and Azure Active Directory (AD) accounts of roughly two dozen organizations, including government agencies in the United States, such as the U.S. State and Commerce Departments.
They exploited a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, which enabled them to forge signed access tokens and impersonate accounts within the targeted orgs.
Windows crash dump diving
While investigating Storm-0558’s attack, Microsoft found that the MSA key was leaked into a crash dump after a consumer signing system crashed in April 2021.
Even though the crash dump shouldn’t have included signing keys, a race condition led to the key being added. This crash dump was later moved from the company’s isolated production network to its internet-connected corporate debugging environment.
The threat actors found the key after successfully compromising a Microsoft engineer’s corporate account, which had access to the debugging environment containing the key erroneously included in the April 2021 crash dump.
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft revealed today.
“Our credential scanning methods did not detect its presence (this issue has been corrected).”
Widespread access to Microsoft cloud services
While Microsoft said when it disclosed the incident in July that only Exchange Online and Outlook were impacted, Wiz security researcher Shir Tamari later said that the compromised Microsoft consumer signing key provided Storm-0558 widespread access to Microsoft cloud services.
As Tamari said, the key could be used to impersonate any account within any impacted customer or cloud-based Microsoft application.
“This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication, including those who allow the ‘Login with Microsoft’ functionality,” Tamari said.
“Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access,” Wiz CTO and Cofounder Ami Luttwak also told BleepingComputer.
“An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is the ultimate cyber intelligence’ shape shifter’ superpower.”
Redmond later told BleepingComputer that the compromised key could only be used to target apps that accepted personal accounts and had the validation error exploited by the Chinese hackers.
In response to the security breach, Microsoft revoked all valid MSA signing keys to prevent threat actors from accessing other compromised keys. This step also effectively blocked any additional efforts to generate new access tokens. Additionally, Microsoft relocated the recently generated access tokens to the key store used by its enterprise systems.
After revoking the stolen signing key, Microsoft found no additional evidence of unauthorized access to customer accounts employing the same auth token forging technique.
Pressured by CISA, Microsoft also agreed to expand access to cloud logging data for free to help network defenders detect similar breach attempts in the future.
Before this, such logging capabilities were only available to customers with Purview Audit (Premium) logging licenses. As a result, Redmond faced substantial criticism for impeding organizations from promptly detecting Storm-0558’s attacks.