Microsoft explains that Chinese hackers leveraged a stolen signing key from a Windows crash dump to compromise US government accounts


What you need to know

  • Microsoft has been under scrutiny by a cybersecurity advisory panel following the breach of multiple accounts belonging to US government officials.

  • The company has now revealed that the hacker group, Storm-0558, was able to access these accounts via a signing key from a Windows crash dump.

  • Microsoft states that the breach has been resolved and only impacted Exchange Online and Outlook.

  • A security researcher countered the claims citing that the breach was more widespread, affecting cloud-based Microsoft platforms, including Outlook, SharePoint, OneDrive, and Teams.

A while back, a U.S. cybersecurity advisory panel commissioned by President Biden's administration launched an investigation looking into Microsoft after a Chinese hacker group known as Storm-0558 managed to breach Microsoft email accounts belonging to two dozen government agencies. The panel aims to determine Microsoft's involvement in the matter, with speculations that there might be more to the story and the company is less than transparent about it.

While Microsoft was able to mitigate the issue, it did not provide a detailed account highlighting how the incident transpired and how the attackers were able to gain access to the credentials.

According to a new report by BleepingComputer, Microsoft has indicated that Storm-0558 was able to access the officials’ credentials by stealing a signing key from a Windows crash dump after breaching a Microsoft engineer's corporate account.

The hackers used the key to compromise Exchange Online and Azure Active Directory accounts belonging to multiple organizations. US-based government agencies, including the U.S. State and Commerce Departments, were among the parties affected by the breach. This raised several eyebrows, including Senator Ron Wyden's, who penned a letter on July 27 requesting the Cyber Safety Review Board to investigate the matter.

We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

Microsoft further detailed that the Chinese hacker group leveraged a zero-day validation issue in the GetAccessTokenForResourceAPI that has since been mitigated to forge signed access tokens, thus allowing them to impersonate the officials' accounts.

The company also detailed that the MSA key used to breach the officials’ accounts dates to April 2021, when it leaked into a crash dump after a consumer's signing system malfunctioned.

According to Microsoft:

Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key. 

The company added that while the crash dump shouldn't have featured the signing keys, a race condition prompted its inclusion. Notably, the crash dump was transitioned from the company's production network to its internet-connected corporate debugging environment. However, Microsoft has indicated that the issue has since been resolved, citing that its credential scanning methods didn't detect any presence of the attackers.

Analysis: What was the breach's severity?

Microsoft Outlook on Android
Microsoft Outlook on Android

According to Shir Tamari, a security researcher at Wiz, the breach by the Chinese hackers spread beyond Exchange Online and Outlook. The researcher indicated that the breach provided the attackers with access to Microsoft cloud services.

Widespread access to these services means attackers could leverage the key to impersonate almost all cloud-based Microsoft platforms, including Outlook, SharePoint, OneDrive, and Teams. Not forgetting apps that support Microsoft Account authentication.

However, Microsoft has refuted the claims that the key could only be leveraged on apps accepting personal accounts. This, in turn, prompted the company to revoke all the valid MSA signing keys to cripple the attackers’ efforts to access more compromised keys. Likewise, this also blocked the generation of new access tokens. Finally, the company moved recently generated access tokens to the key store used in its enterprise systems.

Wiz's CTO and Cofounder, Ami Luttwak, while speaking to BleepingComputer shared the following sentiments:

Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access. An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is the ultimate cyber intelligence' shape shifter' superpower. 

Tenable CEO Amit Yoran, has called out Microsoft numerous times, citing its lack of transparency regarding security breaches and security practices.