Researchers from cloud security company Wiz studied the technique described by Microsoft and concluded that anyone with the signing key could have extended their access and signed into other widely used Microsoft cloud offerings including SharePoint, Teams and OneDrive.
“The compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication,” including customer applications that offer the ability to “login with Microsoft,” Wiz said in a blog post detailing its findings.
Microsoft has revoked the key, so it cannot be used in new attacks. But Wiz said the attackers might have left back doors in applications that would let them return, and it said some software would still recognize a session begun by an expired key.
Microsoft played down the likelihood that the attackers had gone beyond the email accounts of targets, who included Commerce Secretary Gina Raimondo and U.S. ambassador to China Nicholas Burns.
“Many of the claims made in this blog are speculative and not evidence-based,” said Jeff Jones, a Microsoft spokesperson.
The Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security unit responsible defending civilian arms of government, said it had not seen reason to believe that the attackers had chosen to go beyond email.
“Available information indicates that this activity was limited to a specific number of targeted Microsoft Exchange Online email accounts. We continue to work closely with Microsoft as their investigation continues,” said Eric Goldstein, executive assistant director for cybersecurity at CISA.
No classified information is believed to have been taken. Microsoft said it could see every time the pirated key had been used and that only about two dozen organizations worldwide were hit.
The company was first alerted to the attacks by the State Department, which discovered the intrusion when it reviewed activity logs that Microsoft began providing to government customers after its cloud services were compromised in the SolarWinds hack in 2020. After the latest breach, Microsoft said it would begin providing many types of logs free to private customers as well.
Microsoft has attributed the attack to a Chinese group, detailed many of their techniques, and told customers how to look for signs they had been hacked. But it is still investigating how the signing key got out.
If Microsoft is wrong about the attack’s limits, “This is a nightmare scenario for those assessing impact,” former National Security Agency analyst Jake Williams wrote on Twitter. He said it would be hard to tell which apps that allow Microsoft logins were vulnerable, and not all of them make logs available.
Worse, he said that there would now be no reason for the attackers to try to break in everywhere with the revoked key, because not all apps will have begun blocking it.
“If I were a threat actor, I’d be riding that now-revoked key like a rented mule, seeing where I can get ANY mileage from it,” Williams wrote.
The findings underscored the fragility of the cloud systems that lie behind an increasing proportion of software operations.
