Microsoft says it still doesn't know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.
"The method by which the actor acquired the key is a matter of ongoing investigation," Microsoft admitted in a new advisory published today.
The incident was reported by U.S. government officials after the discovery of unauthorized access to several government agencies' Exchange Online email services.
Microsoft started investigating the attacks on June 16th and found that a Chinese cyber-espionage group it tracks as Storm-0558 breached the email accounts of roughly 25 organizations (reportedly including the U.S. State and Commerce Departments).
The threat actors used the stolen Azure AD enterprise signing key to forge new auth tokens by exploiting a GetAccessTokenForResource API flaw, providing them access to the targets' enterprise mail.
Storm-0558 can use PowerShell and Python scripts to generate new access tokens via REST API calls against the OWA Exchange Store service to steal emails and attachments. However, Redmond didn't confirm whether they used this approach in last month's Exchange Online data theft attacks.
"Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users," Microsoft added today.
The company blocked the use of the stolen private signing key for all impacted customers on July 3rd and says the attackers' token replay infrastructure was shut down one day later.
MSA signing keys revoked to block Azure AD token forging
On June 27th, Microsoft also revoked all valid MSA signing keys to block all attempts to generate new access tokens and moved the newly generated ones to the key store that it uses for its enterprise systems.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key," Microsoft said.
However, while Redmond has no longer detected any key-related Storm-0558 malicious activity after revoking all active MSA signing keys and mitigating the API flaw enabling, today's advisory says the attackers have now switched to other techniques.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys," Microsoft said.
On Tuesday, Microsoft also disclosed that the RomCom Russian cybercrime group exploited an Office zero-day that is yet to be patched in recent phishing attacks against organizations attending the NATO Summit in Vilnius, Lithuania.
The RomCom operators used malicious documents impersonating the Ukrainian World Congress to push and deploy malware payloads such as the MagicSpell loader and the RomCom backdoor.
Comments
rabidR04CH - 10 months ago
Yet more reason not to use Outlook as an e-mail and cloud storage provider.
AutomaticJack - 10 months ago
"Yet more reason not to use Outlook as an e-mail and cloud storage provider."
You know this could happen to any cloud right? - just depends how hard someone wants to hit it. Nothing is 100%.
SeeAroundCorners - 10 months ago
Since 2020 the Exchange and Azure attacks may point to MSFT insiders. In late 2020 in an article on this site Crowdstrike inferred the same. On July 4 Reuters announced that the Biden admin via the US Dept of Commerce is set to restrict US cloud service providers sales to China. Microsoft used to have different office software for APAC. I think a different code base for each country makes much more sense. Then they can restrict users to specific code base. But more importantly if they do that then they can restrict internal engineering and support to citizens of each specific country too. Not only the US would benefit from that, but much of the entire world has data residency laws which infer this requirement. There are already export controls on certain types of software, but we’ve seen those laws constantly fail. I don’t think export controls will work without Microsoft’s staffing being restricted to country of origin and scrutinized by governments as well. This also applies to other cloud service providers, but it needs to apply to all SaaS and PaaS to be meaningful.
Remember Paige Thompson, the AWS Capitol One hacker? Former AWS employee who knew how to back door the WAF. So did Deepanshu Kher, former Microsoft employee according to the DOJ. And the Deepanshu Kher case proved that foreign nationals who break US law can evade prosecution (not extraditable) unless the DOJ can trick them to returning back to the US. Most bad actors are smart enough not to.
When you open a door, you cannot control who goes through it.
SeeAroundCorners - 10 months ago
LinkedIn connector needs to be banned in the US outright. It was surely involved in this too. The US Gov already bans it in Fed Gov but I’ve seen it everywhere - and it’s on Federal employees personal devices. It defaults to enabled.
MSFT needs to be banned from hoovering data. It is a conflict of interest for them to be involved in data brokerage in any manner. Cloud providers - SaaS and PaaS should be disallowed from compiling, sharing or selling data. This is what creates all of the breaches. Devalue the sale of data and we solve hacking. Government is creating the commoditization of data by purchasing it. They are driving hacking and nefarious data sales.