In July 2023, Hackread.com reported, based on Microsoft’s findings, that Chinese hackers from the Storm-0558 ATP group had hacked European government emails. They accomplished this by using forged authentication tokens and an acquired Microsoft account (MSA) consumer signing key. Microsoft has now revealed how this breach occurred.
- Chinese hackers stole a signing key from a Microsoft software dump.
- The key was used to forge tokens for Outlook.com and Outlook Web Access.
- The hackers gained access to email accounts of around 25 US organizations, including government agencies.
- Microsoft has fixed the bugs that allowed the breach to happen.
- Users should still be vigilant and take steps to protect their accounts.
On Wednesday, Microsoft published an incident post-mortem report to explain how the Chinese threat actor Storm-0558 obtained the MSA cryptographic consumer key, forged tokens for Outlook.com and Outlook Web Access accepted by enterprise systems, and broke into US organizations accounts.
In that breach, the Chinese spying group gained access to email accounts of around 25 US organizations, including government agencies, through exploiting a security flaw in Microsoft Cloud platform. The Washington Post reported that US State Department officials and Commerce Secretary Raimondo’s email accounts were breached in that incident.
Microsoft admitted that Storm-0558 stole the key from a software dump that crashed in April 2021. The key was leaked accidentally when the computer crashed, and the machines generated a crash dump report.
“The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump,” the report read.
Microsoft explained that when this error occurred, the machine failed to redact the key from the file because of a software flaw. It also admitted that the dump shouldn’t have included the digital key in the first place.
Microsoft noted that it always isolates all the computers holding signing keys, and these machines don’t contain several key internet-based services like email or video conferencing.
However, the crash dump report created a dent in its security mechanisms because the unredacted file was passed automatically to an internet-connected Microsoft computer used to perform debugging.
The issue occured because Microsoft’s systems didn’t detect the key’s presence in the crash dump. This issue was later fixed by Microsoft and the dump was shifted from the isolated production network into its debugging environment on the “internet-connected corporate network,” as part of the company’s standard debugging process.
But the Windows giant is still figuring out how the Chinese threat actors gained access to the key. The company suspects that the group had access to an already compromised Microsoft engineer’s corporate account that provided access to the debugging environment where the crash dump was present.
It is worth noting that the signing key couldn’t be used for enterprise accounts, targeted by the hackers, because it was designed for consumer Microsoft accounts. Here Microsoft’s failure is evident.
The company didn’t update a critical software library to validate key signing signatures automatically between consumer and enterprise accounts. Its mail system developers believed that libraries performed complete validation and didn’t add necessary issuer/scope validation. This allowed the mail system to accept a request for enterprise email using a security token signed with that consumer key.
However, the company asserts that it has now fixed the bugs and processes that let the hackers carry out the breach, including improving its detection systems and preventing sensitive data from mistakenly getting added to crash dump files.
Key Points to Understand
- The signing key is a digital certificate that is used to sign email messages and other Microsoft services.
- The hackers were able to steal the key from a software dump that was created when a Microsoft computer crashed.
- The key was not supposed to be included in the crash dump, but a software flaw allowed it to be included.
- The hackers used the key to forge tokens that allowed them to access Outlook.com and Outlook Web Access accounts.
- Microsoft has fixed the bug that allowed the key to be included in the crash dump.
- Microsoft has also updated its systems to prevent sensitive data from being mistakenly added to crash dump files.
- Chinese APT group spying on Vietnam military with FoundCore RAT
- Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
- Chinese APT Slid Fake Signal and Telegram Apps onto Official App Stores
- Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage
- Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack