Hackers stole Microsoft’s signature key from a Windows crash dump
Microsoft has released a report detailing multiple bugs that led to Chinese cyberspies Storm-0558 hacking US Government email. A crash dump in 2021 accidentally revealed a key that Chinese cyber spies later used to hack, Security Week reports.
As Bleeping Computer points out, attackers used the stolen MSA key to compromise the Exchange Online and Azure Active Directory (AD) accounts of approximately two dozen organizations, including government agencies in the United States, such as the Department of State and the Department of Commerce.
They exploited a patched zero-day validation issue in the GetAccessTokenForResourceAPI that allowed them to forge signed access tokens and impersonate accounts at targeted organizations.
During the investigation of the Storm-0558 attack, Microsoft discovered that the MSA key was leaked in the crash dump after the consumer signature system failed in April 2021.
Even though the crash dump was not supposed to include the signing keys, a race condition caused the key to be added. This crash dump was later migrated from the company’s isolated production network to an Internet-connected corporate debugging environment.
The attackers found the key after successfully hacking the corporate account of a Microsoft engineer who had access to the debugging environment. It, in turn, contained a key mistakenly included in the crash dump from April 2021.
Although Microsoft said the dump only affected Exchange Online and Outlook, the compromised Microsoft consumer signature key gave Storm-0558 broad access to Microsoft cloud services. Including Outlook, SharePoint, OneDrive and Teams.
Bleeping Computer’s story indicated that the cracked key could only be used to target apps that accepted personal accounts and had a validation flaw exploited by Chinese hackers.
In response to the security breach, Microsoft revoked all valid MSA signing keys to prevent attackers from accessing other compromised keys. This step also effectively blocked any further attempts to create new access tokens.
In addition, Microsoft moved the newly generated access tokens to the keystore used by its enterprise systems.
After recalling the stolen signing key, Microsoft found no additional evidence of unauthorized access to customer accounts using the same authorization token forgery technique.
Under pressure from CISA, Microsoft also agreed to provide free access to cloud log data to help network defenders detect similar hacking attempts in the future.
ProIT previously reported that LogicMonitor customers were affected by hackers due to weak default passwords.
We also wrote about the fact that Russian hackers attacked the Ukrainian military with the help of a new malicious program for Android.
Subscribe to ProIT on Telegram so you don’t miss a post!