Tech
Microsoft Is Still Unsure Of How Hackers Stole Azure AD Signing Keys
(CTN News) – As of today, Microsoft does not know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key that was used to breach the Exchange Online and Azure AD accounts of more than two dozen organizations, including government departments.
According to Microsoft’s new advisory, “the method by which the actor acquired the key is still under investigation.”.
In response to the discovery of unauthorized access to the Exchange Online email services of several government agencies, U.S. government officials reported the incident.
On June 16th, it was discovered that a Chinese cyber-espionage group called Storm-0558 had breached the email accounts of approximately 25 organizations, including the United States Department of Commerce and the United States Department of State.
In order to gain access to the targets’ enterprise mail, the threat actors exploited a Get Access Token For Resource API vulnerability by using the stolen Azure AD enterprise signing key.
In order to steal emails and attachments, Storm-0558 can generate new access tokens via REST API calls against the OWA Exchange Store service using PowerShell and Python scripts. However, Redmond has not confirmed whether this approach was used in last month’s attacks against Exchange Online.
In a statement released today, Microsoft confirmed that the post-compromise activities were limited to email access and data exfiltration.
All impacted customers were blocked from using the stolen private signing key on July 3rd, and the token replay infrastructure was shut down one day later.
The MSA signing keys have been revoked in order to prevent the forging of Azure AD tokens
It was also announced on June 27th that Microsoft had revoked all valid MSA signing keys and moved the newly generated access tokens to the key store that it uses for its enterprise systems in order to prevent any attempts to generate new tokens.
It has been observed that there has been no actor-related activity since Microsoft invalidated the actor-acquired MSA signing key.
While Redmond has not detected any key-related Storm-0558 malicious activity since revoking all active MSA signing keys and mitigating the API flaw enabled, the advisory today indicates that the attackers have switched to other methods.
According to Microsoft, no key-related actor activity has been observed since Microsoft invalidated the actor’s MSA signing key. Additionally, Storm-0558 has transitioned to other techniques, which indicates that the actor cannot utilize or access any signing keys.”.
According to Microsoft, the RomCom Russian cybercrime group exploited a zero-day vulnerability in Office that has not yet been patched in recent phishing attacks against NATO summit attendees in Vilnius, Lithuania.
In order to deploy malware payloads such as the MagicSpell loader and the RomCom backdoor, RomCom operators used malicious documents impersonating the Ukrainian World Congress.
SEE ALSO:
OpenAI, The Creator Of ChatGPT, Faces a US Probe Over Libellous Output
