Microsoft launched an investigation into unauthorized access to the Exchange Online email services of several US government agencies. The experts found that the hack was successful with the help of vulnerabilities, stolen keys and an Azure AD signing key. But where the hackers got the keys from is probably still a mystery.
Two dozen organizations, including US government agencies, were recently hacked. Chinese hackers stole a consumer signing key for an inactive Microsoft account (MSA). The incident was reported by US government officials after several government agencies discovered unauthorized access to Exchange Online email services.
Action by Chinese professional hackers
Microsoft began investigating the attacks back on June 16 and found that a Chinese cyber-espionage group it knows as Storm-0558 was stealing the email accounts of about 25 organizations (reportedly including the US State Department and the US -Department of Commerce) hacked. The attackers used the stolen Azure AD corporate signing key to forge new authentication tokens by exploiting a GetAccessTokenForResource API vulnerability, giving them access to the targets' corporate email. "The method by which the actor obtained the key is the subject of ongoing investigation," Microsoft admitted in a new advisory released today.
Storm-0558 can use PowerShell and Python scripts to generate new access tokens for the OWA Exchange Store service via REST API calls to steal emails and attachments. However, Microsoft has not confirmed whether this approach was used in last month's data theft attacks on Exchange Online. "Our telemetry data and research indicate that post-compromise activity was limited to email access and exfiltration for targeted users," Microsoft added today.
Suspicious keys and tokens blocked
The company blocked the use of the stolen private signing key for all affected customers on July 3, stating that the attackers' token replay infrastructure was shut down a day later. Also, on June 27, Microsoft revoked all valid MSA signing keys. "No key-related activity has been observed since Microsoft invalidated the MSA signing key purchased by the actor," Microsoft said.
Microsoft has worked through the entire course of the attack and the technical details in a security advisory.
More at Microsoft.com
About Microsoft Germany Microsoft Deutschland GmbH was founded in 1983 as the German subsidiary of Microsoft Corporation (Redmond, USA). Microsoft is committed to empowering every person and company in the world to achieve more. This challenge can only be mastered together, which is why diversity and inclusion have been firmly anchored in the corporate culture from the very beginning. As the world's leading manufacturer of productive software solutions and modern services in the age of intelligent cloud and intelligent edge, as well as a developer of innovative hardware, Microsoft sees itself as a partner to its customers to help them benefit from the digital transformation. Security and data protection have top priority when developing solutions. As the world's largest contributor, Microsoft is driving open source technology through its leading developer platform GitHub. With LinkedIn, the largest career network, Microsoft promotes professional networking worldwide.