Wiz security researchers found that the Chinese hackers, Storm-0558, gained access beyond the compromised Exchange Online and Outlook.com accounts by stealing Microsoft's private encryption key. Redmond confirmed the breach on July 12th, stating that approximately two dozen organizations had their Exchange Online and Azure Active Directory accounts compromised. The attackers exploited a patched zero-day validation issue in the GetAccessTokenForResourceAPI to forge signed access tokens and impersonate accounts within the targeted organizations. Among those affected were U.S. and Western European government agencies, including the U.S. State and Commerce Departments.
According to Shir Tamari, a Wiz security researcher, the consequences of the breach extended to all Azure AD applications that use Microsoft's OpenID v2.0. This was possible because the stolen encryption key had the capability to sign any OpenID v2.0 access token, granting unauthorized access to personal accounts like Xbox and Skype, as well as multi-tenant AAD apps.
While Microsoft claimed that only Exchange Online and Outlook were affected, Wiz researchers stated that the threat actors had the ability to exploit the compromised Azure AD private key to impersonate any account within any impacted customer or cloud-based Microsoft application.
According to Shir Tamari, this encompassed managed Microsoft applications like Outlook, SharePoint, OneDrive, and Teams, along with customers' applications supporting Microsoft Account authentication, including those utilizing the 'Login with Microsoft' functionality.
Ami Luttwak, Wiz's CTO and Cofounder, further emphasized that Azure Active Directory auth tokens are integral to accessing everything in the Microsoft ecosystem. With control over an AAD signing key, an attacker gains tremendous power, being able to access nearly any app as any user, representing the ultimate cyber intelligence 'shape shifter' superpower.
To address the security breach, Microsoft took immediate action by revoking all valid MSA signing keys, preventing threat actors from accessing other compromised keys. This step also foiled any efforts to create new access tokens. Additionally, Redmond relocated the newly generated access tokens to the key store, ensuring better protection for the company's enterprise systems.
After invalidating the stolen enterprise signing key, Microsoft conducted thorough investigations and found no indications of further unauthorized access to customers' accounts using the same technique of forging authentication tokens.
Moreover, Microsoft noticed a change in Storm-0558's tactics, indicating that the threat actors no longer possessed any signing keys.
Furthermore, last Friday, the company disclosed that they were still unaware of how the Chinese hackers managed to steal the Azure AD signing key. However, under pressure from CISA, they agreed to provide expanded access to cloud logging data free of charge to aid defenders in detecting similar breach attempts in the future.
Previously, these logging capabilities were only available to Microsoft customers who had paid for the Purview Audit (Premium) logging license. This led to significant criticism, as it hindered organizations from promptly identifying Storm-0558 attacks.
Shir Tamari concluded that at this point, it is challenging to determine the full scope of the incident, given that millions of applications were potentially vulnerable, including both Microsoft apps and customer apps, and the majority lacked sufficient logs to assess if they were compromised or not.