Microsoft revealed on Wednesday that a threat actor known as Storm-0558, based in China, obtained an inactive consumer signing key. This allowed them to forge tokens and gain unauthorized access to Outlook by compromising an engineer’s corporate account. The adversary was able to access a debugging environment that contained information about a crash in the consumer signing system, and they stole the key during this incident, which occurred in April 2021.
According to the Microsoft Security Response Center (MSRC), the crash of the consumer signing system resulted in a snapshot of the crashed process, known as a “crash dump.” Normally, these crash dumps should not include the signing key, as they are supposed to redact sensitive information. However, in this case, a race condition allowed the key to be present in the crash dump, and this presence went undetected by Microsoft’s systems.
The crash dump was moved to a debugging environment on the corporate network, which was connected to the internet. It is suspected that Storm-0558 acquired the key by infiltrating the engineer’s corporate account from this environment. Microsoft does not have concrete proof of the exfiltration due to its log retention policies.
While the report mentions spear-phishing and the deployment of token-stealing malware, it does not provide details about how the engineer’s account was initially breached, whether other corporate accounts were compromised, or when Microsoft became aware of the breach.
This incident highlights a series of security mishaps that led to the signing key falling into the hands of a skilled threat actor with advanced technical capabilities and operational security measures. Storm-0558 has been associated with the breach of approximately 25 organizations using the consumer signing key, gaining unauthorized access to Outlook Web Access (OWA) and Outlook.com.
The zero-day issue was attributed to a validation error that allowed the key to be trusted for signing Azure AD tokens. The malicious activity began a month earlier and was detected in June 2023.
The compromised Microsoft consumer signing key could have potentially enabled widespread access to other cloud services, as revealed by cloud security firm Wiz in July. However, Microsoft stated that it found no evidence of unauthorized access to applications outside of email inboxes. In response to criticism, Microsoft has expanded access to security logging, making it available to more customers beyond those with Purview Audit (Premium) licenses. This change aims to provide better forensic data to aid in investigations.
CyberSec84 | Cybersecurity news. 
Leave a comment