Microsoft has reported that Chinese hackers, known as Storm-0558, successfully stole a crucial signing key used to breach government email accounts. This breach occurred after compromising a Microsoft engineer’s corporate account.
Furthermore, the attackers utilized the stolen key to breach Exchange Online and Azure Active Directory (AD) accounts in approximately two dozen organizations, including U.S. government agencies such as the State and Commerce Departments. The breach exploited a zero-day validation issue, allowing the attackers to forge signed access tokens and impersonate accounts within these targeted organizations.
Additionally, the origins of this breach date back to April 2021 when a consumer signing system crash inadvertently led to the inclusion of the MSA key in a Windows crash dump.
This dump was later transferred from Microsoft’s isolated production network to its internet-connected corporate debugging environment. The attackers discovered the key after compromising a Microsoft engineer’s corporate account, which had access to the debugging environment containing the key erroneously included in the crash dump.
Despite Microsoft’s efforts to rectify the situation, security researcher Shir Tamari noted that the stolen signing key provided Storm-0558 with widespread access to Microsoft cloud services.
This allowed them to impersonate accounts within affected customer organizations and cloud-based Microsoft applications, including popular ones like Outlook, SharePoint, OneDrive, and Teams.
Microsoft has since revoked all valid MSA signing keys and enhanced its cybersecurity measures. Additionally, they agreed to provide free access to cloud logging data to aid in detecting similar breach attempts in the future.
