The threat actor tracked by Microsoft as Storm-0558 has been able to utilise a stolen consumer signing key to access accounts and emails in Exchange Online through Outlook Web Access (OWA), and on Outlook.com. This threat actor is thought to be based in China and has a history of targeting Western European and U.S.-based companies and government agencies in espionage, data theft, and credential access attacks. In a Threat Intelligence blog post Microsoft confirm that in previous attacks Storm-0558 has targeted “diplomatic, economic, and legislative governing bodies”, as well as “media companies, think tanks, and telecommunications equipment and service providers”. This current forged signing key attack has been focused on government agencies and their associated consumer accounts, with approximately 25 organisations confirmed as victims.
This attack was first detected by a customer in June, who notified Microsoft of some unexpected data access taking place on their Exchange Online accounts. Researchers concluded that the attacks had begun in May, and through identifying known tactics, techniques, and procedures (TTPs) attributed the attacks to threat actor Storm-0558. As with other previously observed attacks conducted by Storm-0558, the objective of this incident was to obtain access to the email accounts of employees at their target organisation, for email access and data exfiltration purposes. At first it was assumed that the threat actors were using malware to steal valid Azure Active Directory (Azure AD) tokens that were correctly issued to users. However, this was found not to be the case, with the threat actors instead exploiting a validation flaw in the system that allowed them to create forged Exchange Online authentication artifacts without valid Azure AD tokens.
Microsoft uses authentication tokens to validate the identity of users when they attempt to access their emails. These tokens are signed using a private key unique to the user, and a public key that belongs to the identity provider, in this case Azure AD. Consumer accounts are validated by Microsoft account (MSA) consumer signing keys, and Azure AD accounts are validated through Azure AD enterprise signing keys. As these keys are from separate providers, and managed in separate systems, they should not be able to validate for the other system. A now-patched code error was exploited by the attackers that enabled them to use a MSA consumer signing key, designed for consumer accounts only, to sign requests to Azure AD enterprise accounts.
The threat actors obtained an inactive MSA signing key and used it to forge authentication tokens which gave them valid signatures to access to OWA and Outlook.com accounts. After the forged token is validated by the identity provider, the threat actor could then access the OWA API in order to obtain an authentication token for Exchange Online using the GetAccessTokenForResource API. A flaw in the system allowed the attackers to continually receive new access tokens by presenting ones previously issued by this API. Using these tokens Storm-0558 were able to retrieve email messages from the OWA API, giving them both read and data exfiltration capabilities. Just the one MSA key is thought to have been used in these attacks, to create multiple forged tokens, however it is still unknown how the threat actors were able to acquire the MSA signing key in the first place.
To mitigate this form of attack, Microsoft blocked the usage of tokens signed with the MSA key known to be controlled by the threat actors in OWA. Tokens issued with this key were also blocked for use in the customer environments of the confirmed victims to these attacks. The validation flaws allowing for the incorrect key usage to result in valid tokens being issued have been patched, and further isolation of environments has been added to prevent another similar issue arising. The storage location of MSA keys has also been moved to the key store for enterprise systems for added security. Microsoft continue to take steps to provide Defense-In-Depth, including increased monitoring of key activity and automated alerting in these system environments.
They also revoked and issued replacement keys for all signing keys in use at the time of attack, including the threat actor controlled MSA key. Research into this attack conducted by Wiz shows that 8 public keys for Azure AD enterprise accounts and 7 public keys for MSA consumer accounts which had been active since at least 2016 were the ones in use at the time of the attacks. These keys could sign OpenID tokens, leading Wiz researchers to believe that the scope of applications potentially affected by the flaws exploited in this attack is greater than just Exchange Online and Outlook.com. Potentially affected applications include any Azure AD apps that work with the OpenID v2.0 protocol, which includes Microsoft managed apps such as Outlook, SharePoint, Teams, and OneDrive, as well as third party applications that use ‘Login with Microsoft’. Microsoft have confirmed that no customer action is required as the mitigation steps they have performed have resolved the issue for all customers. However, if a greater range of applications and services may have been affected compared to those investigated by Microsoft, administrators may wish to use the Indicators of Compromise listed on the Threat Intelligence blog to determine if they have fallen victim to this form of attack.
Since these remediation steps have been taken by Microsoft no further activity has been detected using MSA signing keys in attacks. Microsoft have also stated that they have observed the threat actor utilising “other techniques” to perform their attacks, further confirming that the hardening steps taken has resolved the flaws with the key validation processes. Previously, Storm-0558 are known to have performed credential harvesting phishing campaigns in order to steal credentials for initial access to email accounts. OAuth token attacks have also been observed as early as 2021, with the threat actors performing token theft and token replay attacks. Other initial access techniques including exploiting web-facing applications through the installation of web shells has also been utilised by this group. Microsoft have not yet confirmed which techniques they have observed this threat actor moving on to since their ability to forge signing tokens was revoked.