Chinese threat actor Storm-0558 exploited an acquired Microsoft account (MSA) consumer key to forge tokens and gain unauthorised access to Outlook Web App, Outlook.com and a host of other applications.
Microsoft has conducted a thorough technical investigation into this incident, as the breach exposed a significant lapse in Microsoft’s security infrastructure. The investigation uncovered that a consumer signing system crash in April 2021 resulted in a crash dump that unexpectedly, contained sensitive key material. A race condition allowed the key to be present in the crash dump, and this issue went undetected by Microsoft’s systems.
Subsequently, this crash dump was moved from the isolated production network into the corporate debugging environment, which exposed it to the internet-connected corporate network. Credential scanning methods failed to detect the presence of the key in the crash dump.
Following this inadvertent exposure, Storm-0588 was able to compromise the Microsoft engineer’s corporate account that had access to the debugging environment containing the crash dump with the key. Unfortunately, due to log retention policies, there is no specific evidence of the key’s exfiltration by the threat actor. Still, it is deemed the most probable mechanism by which they acquired the key.
Microsoft introduced a common key metadata publishing endpoint in September 2018 to support applications that work with consumer and enterprise accounts. However, documentation and APIs did not perform scope validation automatically, leading to the mail system’s erroneous acceptance of requests for enterprise email using a security token signed with the consumer key. This flaw remained uncorrected until 2022, when mail systems were updated to use the common metadata endpoint, and developers implemented the necessary issuer/scope validation.
Extent of the breach
Although Microsoft claims that only Outlook.com and Outlook Web Access were breached, security researchers from Wiz Research have found that the compromised key could have allowed the “threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions.”
The breach impacted every Microsoft service; in most services, you have to log in with your Microsoft account. Moreover, as the researchers pointed out, even after revoking the impacted encryption key and publishing the attacker’s IOC, it is difficult for customers to detect the breach or the use of forged tokens against their applications due to the lag of logs in crucial fields.
In response to this security breach, Microsoft has outlined a series of corrective measures and improvements, including:
- Identification and resolution of the race condition that allowed the signing key to be present in crash dumps.
- Enhancements in prevention, detection, and response for key material erroneously included in crash dumps.
- Improved credential scanning to better detect the presence of the signing key in the debugging environment.
- Release of enhanced libraries to automate key scope validation in authentication libraries and clarification of related documentation.
Azure users should identify all affected applications, search for forged token usage and understand and leverage the Indicators of Compromise published by Microsoft.