Microsoft claims that it is still unclear how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key. This key was then used to get access to the Exchange Online and Azure AD accounts of about two dozen organisations, including federal agencies.
Officials from the U.S. government reported the situation right away after discovering unauthorised access to the Exchange Online email services used by many federal agencies.
Around 25 organisations, including the US Departments of Commerce and State, had their email accounts compromised by Storm-0558, a Chinese hacker group.
Storm-0558, the group responsible for the cyberattack, used a vulnerability in the Get Access Token for Resource API to access its targets’ business mail. They exploited this issue by using the stolen Azure AD enterprise signing key. It is unclear whether this approach was used in the recent attacks against Exchange Online.
Microsoft said in a statement:
Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users.
Storm-0558 has the ability to generate new access tokens using PowerShell and Python scripts, allowing them to steal emails and attachments. Despite Storm-0558’s campaign, Microsoft was able to stop them without inflicting any harm to other computers. Furthermore, Microsoft acted quickly by approaching all impacted customers to update the security of their systems.
Interestingly, Microsoft still does not know how Chinese hackers obtained an inactive Microsoft account signing key, which they later used to breach Exchange Online and Azure AD accounts.
Microsoft also confirmed that the activities after the intrusion were limited to email access and data extraction. As a result, the hackers were unable to fully manage the hacked accounts; their operations were limited to reading and stealing email data.
Revoking MSA Signing Keys to Avoid Token Forging
Microsoft’s security researchers made a critical discovery, revealing that the threat actor forged Azure AD tokens using an acquired MSA consumer signing key. This exploitation happened because of a validation issue in Microsoft’s code.
On June 27th, Microsoft stopped all valid MSA signing keys to prevent any additional efforts to issue new access tokens. In addition, the freshly produced tokens were safely moved to the key store used by the company’s enterprise systems.
The threat actor’s scripts for executing OWA API requests contain hardcoded sensitive data, such as bearer access tokens and email addresses. Furthermore, the threat actor can refresh the access token for future OWA commands.
Storm-0558 used specialised infrastructure equipped with SoftEther proxy software to most cases, making identification and attribution difficult. During their response attempts, Microsoft Threat Intelligence successfully analysed and characterised this proxy infrastructure, finding ties with the group’s intrusion strategies.
On July 3rd, all impacted clients were prevented from using the stolen private signing key. The token replay infrastructure, which allowed hackers to generate new access tokens, went offline on July 4th. These steps were taken to prevent future unauthorised access and data exfiltration.
Microsoft has not identified any malicious behaviour from Storm-0558 since withdrawing the signing keys. However, evidence shows that the hackers have turned to other approaches, aggressively exploring new ways to attack systems.
Microsoft mentioned that the RomCom Russian cybercrime gang used an unpatched Office vulnerability in recent phishing attacks against NATO summit delegates in Vilnius, Lithuania.
Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.
