Microsoft Struggling to Find How Hackers Steal the Azure AD Signing Key

China’s Storm-0558 hacked 25 organizations, including government agencies, using fake tokens for email access, aiming at espionage since May 15, 2023.

However, Storm-0558’s campaign was blocked by Microsoft without affecting other environments. Not only that even, Microsoft also acted promptly by notifying all the targeted customers to secure their systems.

Surprisingly, Microsoft remains unaware of how Chinese hackers acquired an inactive Microsoft account signing key to breach Exchange Online and Azure AD accounts.

The Incident’s Cause is Unknown!

Since discovering the malicious campaign on June 16, 2023, Microsoft has accomplished the following things:-

• Swiftly addressed the root cause
• Stopped the malicious activities
• Strengthened the environment
• Notified all the affected customers
• Collaborated with government entities

While Microsoft affirmed that the way in which the threat actors obtained or gained access to the key is currently under investigation.

US government officials detected unauthorized access to multiple Exchange Online email services of government agencies, triggering the incident report.

Storm-0558, observed by Microsoft, primarily targets the following entities:- 

• US and European governing bodies
• Individuals related to Taiwan
• Individuals related to Uyghur interests
• Media companies
• Think tanks
• Telecom providers

Besides this, their primary objective is to get unauthorized email account access of targeted organizations’ employees.

It’s been discovered by Microsoft that through Outlook Web Access (OWA) Storm-0558 accessed customer Exchange Online data. Initially, it was believed that the actor stole Azure AD tokens using malware on infected devices.

Security researchers at Microsoft discovered that the threat actor forged Azure AD tokens using an acquired MSA consumer signing key, which is a validation error in Microsoft code that allowed this abuse.

Techniques Used by Hackers

The techniques that were used by threat actors during this incident are mentioned below:-

• Token forgery: The identity of entities seeking resource access, like email was verified by the authentication tokens, and the identity providers, such as Azure AD, issue these tokens to the requesting entity and sign them with a private key for authenticity. While the relying parties validate tokens using a public key, but, acquiring a private signing key enables an actor to forge tokens with valid signatures, tricking relying parties and in total, it’s known as “token forgery.”

• Identity techniques for access: Using the forged token, the threat actor authenticated and accessed the OWA API to obtain Exchange Online access tokens from the GetAccessTokenForResource API. A design flaw allowed the actor to present a previously issued token, but it has been rectified to only accept Azure AD or MSA tokens. With these tokens, from the OWA API, the threat actor retrieved mail messages.

Ways Storm-0558 Executes Attacks

Moreover, to access the OWA Exchange Store service, Storm-0558 leverages:-

• PowerShell
• Python scripts
• REST API calls

Through Tor or hardcoded SOCKS5 proxy servers, the web requests are sent, and for issuing requests the threat actor employs various User-Agents like:-

• Client=REST;Client=RESTSystem;;
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52
• “Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″

Sensitive data, including bearer access tokens and email information, is hardcoded in the scripts used by the threat actor to make OWA API calls. Additionally, for future OWA commands, the threat actor can refresh the access token.

Storm-0558 extensively utilized dedicated infrastructure with SoftEther proxy software, posing challenges for detection and attribution. 

Microsoft Threat Intelligence successfully profiled this proxy infrastructure and correlated it with the actor’s intrusion techniques during their response.