A stolen Microsoft key gave many people access to Microsoft cloud services.
Wiz security experts say that the Storm-0558 Chinese hackers had access to more than just the Exchange Online and Outlook.com accounts that Redmond said had been hacked. They did this by using the Microsoft consumer signing key that they stole.
On July 12, Redmond said that about two dozen organisations’ Exchange Online and Azure Active Directory (AD) accounts had been broken into; this was done by taking advantage of a zero-day validation flaw in the GetAccessTokenForResourceAPI that has since been fixed. This flaw lets them fake signed access tokens and take over accounts in the targeted organisations.
Government organisations in the U.S. and Western Europe, such as the U.S. State and Commerce Departments, were among the affected groups.
On Friday, Shir Tamari, a Wiz security expert, said that all Azure AD apps that use Microsoft’s OpenID v2.0 were affected. Because the stolen key could sign any OpenID v2.0 access token for personal accounts (like Xbox and Skype) and multi-tenant AAD apps, this happened.
After publishing this story, Microsoft said only those who accepted personal accounts and had a validation error were affected.
Microsoft said that only Exchange Online and Outlook were affected. Still, Wiz says the threat actors could use the stolen Microsoft consumer signing key to impersonate any account in any affected customer or cloud-based Microsoft service.
“This includes managed Microsoft applications like Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account login, such as those that let you “Login with Microsoft,” said Tamari.
Wiz CTO and Cofounder Ami Luttwak also told BleepingComputer, “Everything in the Microsoft world uses Azure Active Directory auth tokens for access.”
“An attacker with an AAD signing key is the most potent attacker you can think of because they can access almost any app as any user. This is the most powerful way that computer intelligence can change its form.
In response to the security breach, Microsoft revoked all valid MSA signing keys to ensure the threat players didn’t get access to other compromised keys.
With this step, it was also impossible to make new access tokens. Redmond also moved the newly created access tokens to the key store for the company’s business systems.
After invalidating the stolen signing key, Microsoft found no more proof that the same auth token forging method had been used to gain unauthorised access to its customer’s accounts.
Microsoft also said it saw a change in how Storm-0558 worked, which showed that the threat actors no longer had access to any signing keys.
Last but not least, the company said last Friday that it still needs to learn how the Chinese hackers got the Microsoft customer signing key. But after CISA put pressure on them, they decided to give defenders free access to more cloud logging data to help them spot similar attempts to break in in the future.
Before this, users of Microsoft who bought a Purview Audit (Premium) logging licence were the only ones who could use these logging features. So, Microsoft got a lot of criticism for making it hard for organisations to find Storm-0558 threats quickly.
“At this point, it’s hard to know the full scope of the incident because there were millions of potentially vulnerable applications, both Microsoft apps and customer apps and most of them don’t have enough logs to know if they were hacked or not,” Tamari said in his conclusion.