Technology

Chinese Hackers Stole Microsoft Signing Key to Breach Government Email Accounts

ByGabriel Botha

Sep 6, 2023
Chinese hackers, known as Storm-0558, recently stole a signing key from Microsoft. This key was then used to breach the email accounts of government organizations, including the U.S. State and Commerce Departments. The attackers exploited a zero-day validation issue in Microsoft’s GetAccessTokenForResourceAPI, allowing them to forge signed access tokens and impersonate accounts within targeted organizations.

During the investigation, Microsoft discovered that the signing key had been leaked into a crash dump after a consumer signing system crashed in April 2021. A race condition caused the key to be added to the crash dump, which was later moved to the company’s internet-connected corporate debugging environment. The threat actors gained access to the key by compromising a Microsoft engineer’s corporate account, which had access to the debugging environment.

Although Microsoft’s credential scanning methods did not detect the key’s presence, the company believes that the key was acquired by the attackers through the exfiltration of the crash dump. This incident exposed a vulnerability in Microsoft’s log retention policies, prompting the company to make corrections.

Initially, Microsoft stated that only Exchange Online and Outlook were impacted by the breach. However, it was later revealed that the compromised signing key provided Storm-0558 with widespread access to Microsoft cloud services. This included managed Microsoft applications like Outlook, SharePoint, OneDrive, and Teams, as well as applications using Microsoft Account authentication.

In response to the security breach, Microsoft revoked all valid signing keys to prevent further unauthorized access. The company also relocated recently generated access tokens to the key store used by its enterprise systems. Additionally, Microsoft agreed to expand access to cloud logging data for free, assisting network defenders in detecting similar breach attempts in the future.

This incident highlights the importance of robust security measures and prompt detection of cyber threats. It also serves as a reminder to organizations to regularly review their security protocols and address any vulnerabilities promptly.

Sources:
– Microsoft
– Wiz security researcher Shir Tamari
– BleepingComputer

