Microsoft Still Unaware How Hackers Stole Azure AD Signing Keys

It was recently revealed that Chinese hackers used real Azure AD signing keys to gain access to email servers from various US government agencies. However, Microsoft is still puzzling over how this was possible.

Vulnerability “untraceable”

Days after discovering the access, Microsoft still hasn’t found any indication of the vulnerability that gave the hackers access to the servers, according to a new report by the online magazine Bleeping Computer.

What is clear is that Chinese hackers stole a signing key for inactive Microsoft accounts (MSA). These were then used to break into the Exchange Online and Azure AD accounts of around two dozen organizations, including government agencies.

“The method by which the actor obtained the key is the subject of an ongoing investigation,” Microsoft admitted in a new advisory. The incident probably went undetected for more than a month – so the extent of possible manipulation and data theft is not yet known.

Microsoft began investigating the attacks in mid-June and found that the Chinese cyberespionage group Storm-0558 b was behind it. The attackers used stolen Azure AD signing keys to create new authentication tokens that gave them easy access. Once provided with “legitimate” access, the hackers could then steal emails and attachments.

Hacker blocked

After the intrusion became known, Microsoft blocked the signing keys for all affected Azure customers in early July and stated that the attackers’ token replay infrastructure had been shut down. So you could lock out the hackers.

“No key-related activities have been observed since Microsoft invalidated the MSA key purchased by an actor,” the Microsoft security team said. However, further information on the incident is still not available – it, therefore, remains unclear to what extent there are vulnerabilities in Azure and Exchange Online that still have to be closed.