Researchers are concerned about the encryption key used by Chinese hackers to break into the email accounts of U.S. government agencies disclosed last week and also gave them access to a vast array of other Microsoft products.
Earlier this month, Microsoft disclosed that a threat actor linked to the Chinese government had through an acquired Microsoft private encryption key forged authentication tokens that gave them access to Exchange Online Outlook email accounts for more than 25 organizations, including government agencies.
Further investigationin to the incident has revealed the compromised key would have given the hacking group, which Microsoft calls Storm-0558, access to far more than Outlook, spanning many other Microsoft services that uses the same authentication process.
The compromised key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions.
While Microsoft revoked the key and gave detection guidance to organizations, the lack of logging it provides around the token authentication process could make it “difficult” for customers to detect if forged tokens were used against their applications.
The type of key stolen is among the most powerful in modern IT, and the flaws it exploits are not unique to Microsoft. It has been used for numerous Microsoft products, including Azure personal accounts and Azure multi-tenant applications, since April 2016, and the public certificate for it expired on April 4, 2021.
It would have allowed the actor to stealthily gain immediate single hop access to everything, any email box, file service, or cloud account without the need to impersonate a victim’s server. Microsoft replaced the key sometime between June 27 and July 5, 2023.
Research analysis indicates that the key’s access for AAD affected applications that worked with version 2.0 of Microsoft’s OpenID and were set to support “Personal Microsoft accounts only” as well as “mixed audience” and other personal Microsoft accounts on services like Skype and Xbox. Multi-tenant Azure AD applications that used “common” version 2.0 key endpoints were also affected. Single tenant applications were not.
While Microsoft developed an extension to limit the ability of these types of keys to gain broad-based access, it placed responsibility for implementing that extension on the shoulders of its users.
Microsoft revoked the affected key, but researchers gave a stern warning that a sophisticated threat actor could have used the access and time to build in backdoors or other forms of persistence into victim systems and accounts.
Any applications that rely on local certificate stores or cached keys may still be using the corrupted key and would be vulnerable to continued exploitation.
The pool of Microsoft and customer applications affected number in the millions, and the lack of logging around authentication means many organizations will be in the dark about whether they were compromised through the breach.
The full impact of this incident is much larger than is being widely reported and understood that is going to have a long time implication.
Thud research was documented by researchers from Wiz but Microsoft was reluctant to comment further.