Wiz security researchers have revealed that Chinese hackers, known as Storm-0558, successfully stole Microsoft’s consumer signing key.
With this key, the hackers gained access to breached accounts on Exchange Online and Outlook.com, as previously acknowledged by the company.
The cloud-based email service, Exchange Online, has gained widespread adoption among small, medium, and large businesses. Offering enhanced security, reliability, and scalability, it has become a preferred choice for many organizations.
Microsoft: Stolen key
In essence, Microsoft initially stated that only Outlook.com and Exchange Online were affected by the token forging technique. However, Wiz Research uncovered that the compromised signing key was more powerful than initially believed and wasn’t limited to just those two services.
According to their security researchers, the compromised MSA key could have allowed the threat actor to forge access tokens for various types of Azure Active Directory applications.
After revoking the stolen signing key, Microsoft did not recover from any other unauthorized access to its customers’ accounts using the same technique.
Microsoft reports that it has noticed a change in Storm-0558’s tactics, and this suggests that the malicious agents they no longer have access to any signing keys.
The company has recently made an announcement stating that they are yet to determine how Chinese hackers were able to steal the signature key used by Microsoft consumers.
However, in response to pressure from CISA, they have now agreed to provide free extended access to cloud log data. This decision aims to assist defenders in recognizing and thwarting similar breach attempts in the future.
How to Detect the Compromised Key in Your Environment?
- Monitor key activity and access regularly.
- Utilize robust key management solutions with logging capabilities.
- Analyze log data for unusual patterns or anomalies.
- Implement IDS and IPS to identify suspicious activities.
- Monitor user and system behavior related to key access.
- Conduct regular security audits to identify vulnerabilities.
- Stay updated with threat intelligence to be aware of potential attacks.
- Use multi-factor authentication for key access.
- Engage in red teaming or penetration testing to identify weaknesses.
- Have an incident response plan to respond quickly to suspected compromises.