New research discovers the encryption key used by Chinese hackers to have illegitimate access to emails belonging to high government officials of the United States. The information disclosed last week, also describes that the threat group have access to numerous Microsoft services, as reported by firm Wiz.
According to the reports on Microsoft blog, the threat actors who are linked to the Chinese government; pilfered private Microsoft keys; enabling them to forged authentication token which allows the access to Exchange online outlook email accounts belonging to over 25-organizations and public authorities.
A deep dive into the cyberattack by the head of research at Wiz discovered from investigation carried out, that the threat group were able to gain access via the compromised key known as Storm-0558, which is used on other Microsoft services authentication process.
According to a Statement from Shir Tamari (Head of research at Wiz):
“Our researchers concluded that the compromised MSA (Microsoft Account) Key could have allowed the threat actor to forge the access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customer’s applications that support the ‘login with Microsoft’ functionality and multi-tenant applications in certain conditions.”
What is MSA Key:
“MSA key” refers to “Microsoft Account (MSA) Key.” It is a form of two-step verification (also known as two-factor authentication) used to secure Microsoft accounts. It is an additional layer of security beyond the traditional password.
When enabled, the MSA key requires the user to provide a second factor of authentication after entering their password. This second factor can be something the user knows (like a PIN or password) or something the user possesses (like a physical security key or a verification code sent to their mobile device). By using an MSA key, users add an extra barrier for unauthorized access to their Microsoft accounts, enhancing overall account security. It’s particularly useful in preventing unauthorized access even if someone else gets hold of the account password.
Further Research by Wiz:
The organization where in continuous research in conjunction with Microsoft ahead in other to establish accuracy in their discovery.
Another discovery made during the research shows why Microsoft revoked the key and granted detection assistance to organizations. The absence of logging it provides in conjunction with the authentication process of the token, might result into conflicts for customers to known if the tokens used against their application was forged or not.
More statements from Tamari:
“Unfortunately, there is lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key. As a result, identifying and investigating such events can prove exceedingly challenging for app owners.”
The type key stolen by the threat group is considered to be amongst the most powerful in modern technology, and the weakness it does exploit is vast but not limited to Microsoft services. The key which is said to have been utilized in various Microsoft products; such as Azure personal accounts, and Azure Multi-tenant applications, since the month of April 2016, and its public certificate has expired since April 4, 2021.
Acquisition by threat groups, would allow the malicious intended persons to gain stealthy access (obtaining information in a discreet and secretive manner, without attracting attention or detection) to all services, any email inbox, file service or even cloud accounts.” Without impersonating a victim’s server.
Wiz stated that the key was somewhat replaced between the month June and July 5th 2023.
Discovery made, shows that the key’s access for the Microsoft Product Azure Active Directory, affected all applications that worked with Microsoft’s OpenID version2.0, which was set to support “Private Microsoft accounts only”, “mixed audience” and other Microsoft services such as Skype, and Xbox. Other services said to be affected includes Multi-tenant Azure AD applications version2.0 key endpoints.
Security Implementation Revoked:
Although Microsoft developed a mechanism, to limit the ability of these keys to have broad-based access, it however placed the responsibility of implementing this mechanism by its users.
Microsoft has revoked the affected encryption key; however, wiz has warned that the hackers might have installed a backdoor, which may enable them to have persistence access into victims account and systems.
It also stated that any application that relies on locally stored certificates or cached keys might still be using keys that are corrupt, and therefore would be vulnerable to persistent exploit.
The severity resulting from the compromise may be far bigger than what Microsoft has published to the general public. Millions of Microsoft and its customer applications have been affected, and lack of authentication-based login, will result into organizations not knowing if they have been hacked or not through the cyber breach that has occurred.
While the full impact of the incident is yet to be ascertained, it is no doubt that it is larger than what is reported. It is certain that this event will have a long trail of implications on trust using the cloud services, and other core components that supports it.
Please do let us know in the comment section what are your thoughts about this.