Security News > 2023 > July > Microsoft still unsure how hackers stole Azure AD signing key
Microsoft says it still doesn't know how Chinese hackers stole an inactive Microsoft account consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.
The threat actors used the stolen Azure AD enterprise signing key to forge new auth tokens by exploiting a GetAccessTokenForResource API flaw, providing them access to the targets' enterprise mail.
On June 27th, Microsoft also revoked all valid MSA signing keys to block all attempts to generate new access tokens and moved the newly generated ones to the key store that it uses for its enterprise systems.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key," Microsoft said.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys," Microsoft said.
Microsoft rebrands Azure Active Directory to Microsoft Entra ID. Microsoft fixes Azure AD auth flaw enabling account takeover.
News URL
Related news
- CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability (source)
- U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications (source)