Microsoft revealed on Wednesday that a China-based threat actor known as Storm-0558 acquired the consumer’s inactive signing key to forge tokens and access Outlook by compromising an engineer’s corporate account.
This allowed the adversary to access a debugging environment that information contained regarding a crash of the consumer signature system and stealing the key. The system crash occurred in April 2021.
“A crash of the consumer signing system in April 2021 resulted in a crash dump of the failed process,” the Microsoft Security Response Center (MSRC) said in a post-mortem report.
“Crash dumps, which remove sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The presence of the signing elements key in the crash dump was not detected by our systems.”
The Windows maker said the crash dump was moved to a debug environment on the internet-connected corporate network, where Storm-0558 is believed to have acquired the key after infiltrating the company’s account. engineering company.
It is currently unknown if this is the exact mechanism that was adopted by the malicious actor since Microsoft has indicated that it does not have logs offering concrete proof of the exfiltration due to its retention policies newspapers.
Microsoft’s report also alludes to spear phishing and the deployment of token-stealing malware, but it doesn’t explain how the engineer’s account was hacked in the first place, whether other company accounts were compromised. hacked and when he became aware of them. compromise.
“The report does not explicitly state when the crash dump was moved to the debug environment or when the engineer’s account was compromised; only that each of these events occurred sometime after April 2021” , said Amitai Cohen, security researcher at Wiz. said.
“If we assume both occurred as early as possible on the timeline – say in May 2021 – then that would mean the threat actor could have been in possession of the signing key for more than two years before being discovered in June 2023. “.
Microsoft noted in July 2023, however, that “this malicious actor has demonstrated interest in OAuth applications, token theft, and token replay on Microsoft accounts since at least August 2021,” potentially suggesting that the activity could be in progress. course for almost two years. .
That said, the latest development offers insight into a series of cascading security incidents that resulted in the signing key ending up in the hands of a skilled actor with a “high degree of know-how.” technical and operational safety”.
Storm-0558 is the nickname given by Microsoft to a hacking group linked to the breach of approximately 25 organizations using the consumer signing key and gaining unauthorized access to Outlook Web Access (OWA) and Outlook.com.
The zero-day issue was attributed to a validation error that allowed the key to be trusted to sign Azure AD tokens. Evidence shows the malicious cyber activity began a month earlier before being detected in June 2023.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
This, in turn, was made possible because “the email system would accept a business email request using a security token signed with the consumer’s key.” The “problem” has since been fixed by Microsoft.
Cloud security company Wiz then revealed in July that the compromised Microsoft consumer signing key could have allowed widespread access to other cloud services.
Microsoft, however, said it found no additional evidence of unauthorized access to applications outside of email inboxes. It also expanded access to security logs following criticism that the functionality was limited to customers with Purview Audit (Premium) licenses, thereby limiting forensic data to others.
(The story was updated after publication to include additional information from Wiz.)