Microsoft has recently revealed that a China-based threat actor, known as Storm-0558, was able to forge authentication tokens and gain unauthorized access to user email from approximately 25 Microsoft enterprise customers. This cyber espionage group has been active since 2021 and has targeted various entities such as diplomatic entities, legislative governing bodies, media companies, Internet service providers, and telecommunications equipment manufacturers.
The attacks conducted by Storm-0558 were particularly notable because they involved the threat actor using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens, which allowed them to access enterprise email accounts. Typically, MSA consumer keys are used for signing into Microsoft consumer applications like Outlook.com, OneDrive, and Xbox Live.
Microsoft became aware of the group’s activities in May when a customer reported anomalous activity on their Exchange Server account. During their investigation, Microsoft initially believed that the threat group had obtained an Azure AD enterprise signing key to forge tokens for authentication. However, further investigation revealed that Storm-0558 had actually acquired an MSA consumer signing key, which was used for the token forging. Microsoft attributed this acquisition to a “validation error” at the time.
In a report released this week, Microsoft detailed the findings of its two-and-a-half-month long investigation into the incident. They explained that the issue began with a race condition, which resulted in the signing key being present in a crash dump. Normally, the signing key should have been redacted from the dump, but the race condition prevented this from happening. Furthermore, none of Microsoft’s security controls detected the sensitive information in the crash dump, which eventually ended up in the hands of the debugging team on Microsoft’s Internet-connected corporate network.
Although Microsoft’s production environment is secure and incorporates various security controls such as background checks, secure workstations, and hardware token-based two-factor authentication, the use of email and collaboration tools in the corporate environment made users more susceptible to attacks. Storm-0558 was able to compromise a Microsoft engineer’s corporate account and steal the sensitive data, including the MSA consumer signing key, from the debugging environment.
The question that arises is how a consumer key allowed the threat actor to forge Azure AD tokens. Microsoft explains that in September 2018, they established a common key metadata publishing endpoint, and as part of this offering, documentation was updated to clarify the key scope validation requirements. However, due to ambiguous documentation, library updates, and other factors, the key scope validation did not work as intended. This allowed the email system to accept requests for enterprise email using a security token signed with the consumer key.
Microsoft has taken several steps to address these security missteps. They have resolved the race condition that allowed the key data to be included in crash dumps, enhanced their mechanisms for detecting signing keys in inappropriate places, and improved their automated scope validation mechanism to prevent similar mishaps in the future.
It is crucial for organizations to constantly evaluate and enhance their security measures to protect against sophisticated threat actors like Storm-0558. In this case, Microsoft’s investigation has shed light on the vulnerabilities and mistakes that allowed the unauthorized access to occur. By learning from these incidents and implementing robust security controls, organizations can better defend against cyber attacks and protect sensitive data.