This flaw in this API has since been fixed. Storm-0558 was able to obtain new access tokens by presenting one previously issued from GetAccessTokenForResource Application Programming Interface (API) due to a design flaw.
These tokens are validated with a signing key, so with access to such a key an attacker is able to create valid tokens to access the associated services. Instead, the user logs in once, and a unique token is generated and shared with connected applications or websites to verify their identity. Microsoft says it still doesn't know how Storm-0558 stole the inactive MSA signing key.Īn authentication token allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time they visit. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. This was only possible because of a validation error in Microsoft code.
But further analysis showed that Storm-0558 was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key to access OWA and.
Attribution is based on Microsoft Threat Intelligence assessment that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives.Īt first Microsoft assumed that the spies were using legitimate Azure Active Directory (Azure AD) tokens stolen by malware. Microsoft analysis attributed the activity to a group called Storm-0558 based on established prior tactics, techniques, and procedures (TTPs). Investigation learned that the customer’s Exchange Online data was accessed using Outlook Web Access (OWA). The investigation started on Jun 16, 2023, when Microsoft was notified by a customer about an anomalous Exchange Online data access. The attacks were targeted and lasted for about a month before they were first discovered. Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud.
0 kommentar(er)
