Cyber Security Threat Summary:
China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.
The compromised accounts primarily focused on Indo-Pacific diplomacy. Although the stolen emails were unclassified, the breach raised concerns about cybersecurity. Microsoft had previously mitigated an attack by a China-linked threat actor known as Storm-0558, which targeted customer emails, including government agencies in Western Europe. The attackers exploited a token validation issue and forged authentication tokens to gain access to email accounts. Microsoft's investigation revealed that the threat actors had stolen a signing key from a Windows crash dump in April 2021, which contributed to the breach.
Security Officer Comments:
Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email. The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook[.]com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. In early September, Microsoft shared a comprehensive technical investigation into the way attackers gained access to the Microsoft account consumer signing key.
The IT giant announced it had revoked all valid MSA signing keys to prevent attackers from accessing other compromised keys. Below are the improvements implemented after the investigation:
- Identified and resolved race Condition that allowed the signing key to be present in crash dumps.
- Enhanced prevention, detection, and response for key material erroneously included in crash dumps.
- Enhanced credential scanning to better detect presence of signing key in the debugging environment.
- Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation.