Microsoft is still investigating how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.
The hackers used the stolen key to forge authentication tokens, which allowed them to access the email accounts of their targets. They were then able to steal emails, attachments, and other sensitive information.
Microsoft has taken steps to mitigate the impact of the attack, including resetting passwords for affected accounts and blocking the stolen key. However, the company is still working to determine how the hackers were able to acquire the key in the first place.
This is a serious security incident, and it highlights the importance of strong security practices for Microsoft accounts. Users should make sure to use strong passwords and enable two-factor authentication. They should also be aware of the risks of phishing attacks, which are a common way for hackers to steal login credentials.
If you think that your Microsoft account may have been compromised, you should change your password immediately and contact Microsoft support.
Microsoft has confirmed that a Chinese cyber-espionage group, Storm-0558, breached the email accounts of approximately 25 organizations, including the U.S. State and Commerce Departments. The group used a stolen Azure AD enterprise signing key to forge new auth tokens, which gave them access to the targets' enterprise mail.
Microsoft says that the post-compromise activity was limited to email access and exfiltration for targeted users. The company blocked the use of the stolen private signing key for all impacted customers on July 3rd and says the attackers' token replay infrastructure was shut down one day later.
Keys revoked to block Azure AD token forgery
This is a serious incident, and it's important for organizations to take steps to protect themselves from similar attacks.
Here are some of the key recommendations:
• Keep your software up to date.
• Use strong passwords and two-factor authentication.
• Be careful about what links you click on and what attachments you open.
• Train your employees on cyber security best practices.
Per Bleeping Computer
On June 27th, Microsoft also revoked all valid MSA signing keys to block all attempts to generate new access tokens and moved the newly generated ones to the key store that it uses for its enterprise systems. "No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key," Microsoft said.
However, while Redmond has no longer detected any key-related Storm-0558 malicious activity after revoking all active MSA signing keys and mitigating the API flaw enabling, today's advisory says the attackers have now switched to other techniques.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys," Microsoft said.
On Tuesday, Microsoft also disclosed that the RomCom Russian cybercrime group exploited an Office zero-day that is yet to be patched in recent phishing attacks against organizations attending the NATO Summit in Vilnius, Lithuania. The RomCom operators used malicious documents impersonating the Ukrainian World Congress to push and deploy malware payloads such as the MagicSpell loader and the RomCom backdoor.