Stolen Microsoft Security Key – Potential Breaches Beyond Outlook

A stolen Microsoft security key allowed Beijing-backed hackers to penetrate more than just Outlook and Exchange Online email accounts.

The key, acquired by as-yet unidentified means, enabled the spies to sign access tokens for Microsoft's online services as though they were Microsoft itself.

Microsoft disclosed the attack on July 11 and reiterated on July 14 that spies leveraged forged authentication tokens to breach government agencies for espionage.

The digital ruse, suspected to be orchestrated by China-based actors, allowed them access to US government officials' cloud email accounts, with high-profile targets including US Commerce Secretary Gina Raimondo.

A report identified further victims as Nicholas Burns, the American diplomatic representative in China, and Daniel Kritenbrink, the top-ranking official for East Asian affairs in the State Department.

Compromised OpenID v2.0 Authentication

Cybersecurity specialists have underscored this intrusion as a severe security lapse of critical significance.According to Shir Tamari, head of research at cybersecurity firm Wiz, the stolen key may have had more potential uses than initially assumed.

Wiz has also warned about users' own applications that leverage the login with Microsoft" feature.

He suggests that the compromised Microsoft Software Assurance (MSA) key could have facilitated the forging of access tokens for various Azure Active Directory applications.

This would allow intrusion into applications using OpenID v2.0 access tokens for account authentication. Services potentially at risk include Outlook, SharePoint, OneDrive, and Teams.

He added that applications serving multiple clients and using the common" v2.0 keys endpoint instead of the organizations" endpoint might face potential vulnerability. However, systems employing OpenID v1.0 protocol continue to be secure.

Experts' Take on Microsoft's Countermeasures

Microsoft, so far, has neither publicized nor confirmed how this critically significant private signing key was compromised. The company has, however, revoked the key. Besides, it has published a list of indicators of compromise for its clients.

However, cyber security professionals don't seem satisfied with the measures. It's being said that the absence of token verification logs could make it challenging for users to identify whether their applications' data was breached.

How the intruders acquired the private encryption key remains unknown. Federal agencies raised the alarm after detecting the cyber breach.

Responding to such conclusions, a Microsoft spokesperson dismissed them as speculative".

They further recommended that customers review their Microsoft Threat Intelligence blog and verify their systems using the published Indicators of Compromise (IOCs).

Various analyses suggest that the operatives procured one of several keys used to authenticate Azure Active Directory (AAD) access tokens. This facilitated signing any OpenID v2.0 access token for personal accounts and AAD applications.

It's being said that backdoors might have been established during prior sessions; thus, revoking the security key may not help much.

Experts assume that applications using local certificate stores or cached keys might still trust the compromised key, making them vulnerable to future attacks.

Given this, Microsoft and cybersecurity experts recommend that users routinely refresh these caches to maintain optimal security.

The post Stolen Microsoft Security Key - Potential Breaches Beyond Outlook appeared first on The Tech Report.