Microsoft’s stolen crypto key is the golden ticket for Chinese spies

A hacker group suspected of links to Beijing was recently able to break into mailboxes Outlook And Exchange Online, as well as other cloud services Microsoft. To do this, the attackers used the stolen cryptographic keywhich allowed them to forge access tokens and impersonate corporate employees.

Using fake tokens, hackers gained access to the email accounts of high-ranking US officials, including Secretary of Commerce Gina Raimondo, US Under Secretary of State for East Asian Affairs Daniel Kritenbrink, and Chinese Ambassador Nicholas Burns.

The US federal agency managed to detect the violation and warned Microsoft. Microsoft did not report how exactly the digital bandits managed to get this cryptographic key. Shortly after the discovery of the attack, this key was revoked by the corporation.

According to Shira Tamari, head of research at the company wiz, this key was much more powerful than it might seem at first glance. The words of the researcher can be trusted, because Wiz was founded by former Microsoft cloud security engineers and they know how the internal “kitchen” is arranged.

According to report Wiz, the stolen key could be used to access different types of apps Azure Active Directory (AAD), including Microsoft applications that use OpenID v2.0 tokens for authentication, such as Outlook, SharePoint, OneDrive And Teams.

In addition, the key could work with Microsoft customer applications that support the “Sign in with Microsoft” feature, as well as multi-user applications configured to use a shared v2.0 endpoint instead of an organizational one.

However, Microsoft denies Wiz’s findings and encourages customers to check out the company’s own blogs, specifically the blog Microsoft Threat Intelligenceto learn more about the incident and test your environments with published indicators of compromise (IoC).

Microsoft publicly disclosed the attack on July 11th. At the same time and in an update dated July 14, the corporation stated that hackers used fake access tokens to penetrate the email accounts of government agencies for the purpose of espionage.

According to the Wiz security team, the Chinese group appears to have received one of several keys used to validate AAD access tokens, allowing them to sign any OpenID v2.0 access token for personal accounts and multi-user and personal AAD applications on behalf of Microsoft.

While Microsoft has revoked the compromised key, meaning it can no longer be used to forge tokens and access AAD applications, there is a chance that during previously established sessions, attackers could have used this access to deploy “bookmarks” or otherwise provide persistence on compromised systems.

Also, applications that use local certificate stores or cached keys may still trust a compromised key and be vulnerable to attacks. Because of this, both Wiz and Microsoft itself strongly recommend updating these repositories at least once a day.