A stolen Microsoft security key may have allowed Beijing-backed spies to break into a lot more than just Outlook and Exchange Online email accounts.

Incredibly as it sounds, and it really does deserve wider coverage, someone somehow obtained one of Microsoft's internal private cryptographic keys used to digitally sign access tokens for its online services. With that key, the snoops were able to craft tokens to grant them access to Microsoft customers' email systems and, crucially, sign those access tokens as the Windows giant to make it look as though they were legitimately issued.

With those golden tokens in hand, the snoops - believed to be based in China - were able to log into Microsoft cloud email accounts used by US government officials, including US Commerce Secretary Gina Raimondo. The cyber-trespassing was picked up by a federal government agency, which raised the alarm.

Microsoft still, to the best of our knowledge, does not know (or isn't publicly saying yet) how this incredibly powerful private signing key was obtained, and has revoked that key.

Now, it turns out that private key "was more powerful than it may have seemed," according to Shir Tamari, research boss at Wiz, an infosec outfit founded by former Microsoft cloud security engineers. We're told the private key could have been used to access way more than people's Outlook and Exchange Online accounts.

"Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications," Tamari explained on Friday. 

This includes Microsoft applications using OpenID v2.0 access tokens for account authentication, such as Outlook, SharePoint, OneDrive, and Teams, we're told. 

Also, according to Wiz, it spans customers' own applications that support the "login with Microsoft" functionality, plus multi-tenant applications configured to use the "common" v2.0 keys endpoint instead of the "organizations" one. Applications using OpenID v1.0 remain safe.

Still, while Microsoft revoked the compromised encryption key and published a list of indicators-of-compromise for those wondering if they've also been hit by Storm-0558, the Wiz kids said it may be difficult for Redmond's customers to know if miscreants used forged tokens to steal data from their applications. Tamari blamed this on the lack of logs related to token verification.

And, it just so happens that Redmond on Wednesday caved to pressure from the US government agreed to provide all customers with free access to cloud security logs - a service usually reserved for premium clients - but not until September.

When asked about Wiz's latest findings - and if more than just email accounts could have been accessed in the attack - a Microsoft spokesperson told The Register:

Microsoft disclosed the attack on July 11. At the time, and in a July 14 update, the Azure titan said the spies used forged authentication tokens to access email accounts for government agencies for espionage purposes.

According to a Thursday report in the Wall Street Journal, Chinese snoops also accessed inboxes belonging to the US ambassador to China, Nicholas Burns, and Daniel Kritenbrink, the assistant secretary of state for East Asia.

It's still unclear how the spies obtained the private encryption key in the first place.

According to the Wiz security team, the China-based crew looks to have obtained one of several keys used for verifying Azure Active Directory (AAD) access tokens, allowing them to sign as Microsoft any OpenID v2.0 access token for personal accounts along with multi-tenant and personal-account AAD applications.

While Microsoft pulled the compromised key, meaning it can no longer be used to forge tokens and access AAD applications, there's a chance that during previously established sessions attackers could have used this access to deploy backdoors or otherwise establish persistence.

"A notable example of this is how, prior to Microsoft's mitigation, Storm-0558 issued valid Exchange Online access tokens by forging access tokens for Outlook Web Access (OWA)," Tamari wrote.

Additionally, applications that use local certificate stores or cached keys may still trust the compromised key and thus be vulnerable to attack. Because of this, both Wiz and Microsoft urge refreshing those silos at least once a day. ®

https://www.theregister.com//2023/07/21/microsoft_key_skeleton/