Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack – BleepingComputer

The U.S. Department of Homeland Security\'s Cyber Safety Review Board (CSRB) has released a scathing report on how Microsoft handled its 2023 Exchange Online attack, warning that the company needs to do better at securing data and be more truthful about how threat actors stole an Azure signing key.Microsoft believes that last May\'s Exchange Online hack is linked to a threat actor known as \'Storm-0558\' stealing an Azure signing key from an engineer\'s laptop that was previously compromised by the hackers at an acquired company.Storm-0558 is a cyberespionage actor affiliated with China that has been active for more than two decades targeting a wide range of organizations.Almost 10 months after Microsoft started the investigation, the CSRB states there isn’t any definitive evidence on how the threat actor obtained the signing key, regardless of what Microsoft previously claimed."Big Yellow Taxi" alertThe CSRB conducted its analysis of the Microsoft Exchange Online hack in 2023 based on details obtained from impacted organizations, cybersecurity companies and experts, law enforcement agencies, and meetings with Microsoft representatives.The report notes that Microsoft learned of the intrusion after being alerted by the U.S. State Department on June 16, 2023.Signs of the intrusion on the State Department’s mail systems appeared a day earlier when the organization’s security operations center (SOC) observed anomalous access.Multiple security alerts appeared the next day thanks to a custom rule, internally called “Big Yellow Taxi,” for analyzing the MailItemsAccessed log available through the Audit (Premium) service for extended record retention.One capability of the MailItemsAccessed mailbox-auditing action is to track and record access to individual messages (bind operation).Creating the “Big Yellow Taxi” rule was possible because the U.S. State Department purchased a Microsoft 365 Government G5 license that comes

with enhanced logging through the premium tier of Microsoft’s Purview Audit service.However, other breached organizations were unable to detect that their accounts were breached as they had not purchased the premium logging features.This led to Microsoft working with CISA to offer critical logging features for free, so all customers could detect similar attacks.In February, Microsoft decided to expand the default log retention period from 90 to 180 days for all Purview Audit standard customers and provide additional telemetry data to federal agencies.The forgotten key and updateStartin

g mid-May 2023, email accounts of more than 500 individuals at 22 organizations were compromised in a cyberespionage campaign by Chinese hacking group Storm-0558.The hackers accessed the email accounts using forged authentication tokens signed with a Microsoft Services Account (MSA) consumer key the company created in 2016 and which should have been revoked in March 2021.The reason for the key being still valid in 2021 is that rotating the keys was done manually for the consumer system at the time, unlike the automated process for enterprise.After a major cloud outage because of the manual rotation, Microsoft stopped the process completely in 2021, leaving no system in place to alert employees of old, active signing keys in the consumer MSA service that should be retired.Although the 2016 MSA key was designed to sign access tokens only for consumer accounts, a previously unknown vulnerability allowed Storm-0558 to use it with enterprise emails, too.In a board meeting with CSRB, Microsoft explained that the issue was introduced with the creation of an OpenID Connect (OIDC) endpoint service that listed active signing keys for both enterprise and consumer identity systems.Storm-0558 forging token using stolen 2016 MSA keySource: CSRBHowever, the software development kits (SDKs) were not properly updated to distinguish on the endpoint between MSA signing keys for consumers and enterprises.This allowed authentication for the email application through the Microsoft Entra identity and access management (IAM) system using either key type.It is unclear how the threat actor discovered they could take advantage of the issue to forge tokens that worked for both consumer and enterprise accounts but Microsoft speculates they learned of the capability through trial and error.Crash dumps from 2021While Microsoft said in September that the threat actor likely obtained the 2016 MSA key from crash dumps, the company updated the initial blog post three months later on March 12, 2024, to clarify that it was a theory and did not find any evidence to support it.During the investigation of the incident, Microsoft chased this scenario, which is one in a total of 46 that included an adversary with quantum computing capabilities that could break public-key cryptography.The theory that Microsoft shared with the CSRB is that the 2023 Exchange Online hack is connected to another