When Chinese hacker group Storm-0558 obtained a number of key Microsoft keys, they had gained access to Exchange Online and Outlook accounts, according to Microsoft. However, security firm Wiz notes that the hackers were able to enter many more services using the stolen authentication method.
The Chinese hackers managed to exploit a zero-day vulnerability in the GetAccessTokenForResourceAPI, which allowed one to look into the emails of American and Western European politicians, among others.
It didn’t stop there, according to Wiz. All Azure Active Directory applications running on OpenID 2.0 were exposed to the exploitation. According to Wiz researcher Shir Tamari, this included OneDrive, Teams and all applications that supported authentication via a Microsoft Account, such as Skype and Xbox.
Powerful secrets
“Identity provider’s signing keys are probably the most powerful secrets in the modern world. For example, they are much more powerful than TLS keys. Even if an attacker got access to the google.com TLS key, they would still need to somehow impersonate a google.com server to gain significant impact. With identity provider keys, one can gain immediate single hop access to everything, any email box, file service or cloud account,” states Tamari. The same goes for equivalents within the Google ecosystem, at Meta or any other provider, according to Wiz.
But how?
Wiz used the Internet archive Wayback Machine to look back in time, which revealed that one of seven public keys was available online. These keys are what Microsoft uses to authenticate accounts. Microsoft replaced this key sometime between June 27 and July 5 of this year, when the tech giant had caught on to the actions of the Chinese hackers.
However, in addition to this public key, Storm-0558 also managed to obtain an MSA private key that Azure Active Directory is secured with. Because Microsoft did not know this key was stolen, the hackers were able to use the Azure identity platform to generate access tokens. Exactly how they gained access to this remains unclear for now.
Since then, Microsoft has revoked all current MSA signing keys and generated new ones. In addition, the Redmond-based company has since seen Storm-0558 behaving differently, which indicates the end of the free access the group had.
Greater visibility into logging
Another problem, at least as troubling, was that detection capabilities for customers were significantly limited by Microsoft. This was because only Purview Audit Premium customers could see enough cloud logging data to detect such an incident. After all, compromising an account is much more problematic if one is also unaware of it.
Meanwhile, pressure from CISA has ensured that Microsoft now offers logging capabilities for free. It is a significant improvement not only because it further protects organisations, and the number of reports to Microsoft will be much higher. In addition, the additional access to these logs will allow organizations to set up services that sift through this data for suspicious behaviour, which will make the response rate even higher.
The big question remains how exactly the hackers were able to access the key. For now, it is also difficult to estimate exactly how big the damage is to organizations, Tamari knows.
Read also: MOVEit attack hits 200+ organisations, but its impact is often unclear