Security News > 2023 > September > How Chinese hackers got their hands on Microsoft’s token signing key
The mystery of how Chinese hackers managed to steal a crucial signing key that allowed them to breach Microsoft 365's email service and access accounts of employees of 25 government agencies has been explained: they found it somewhere where it shouldn't have been - Microsoft's corporate environment.
The signing key was included in the snapshot of the crashed process of a consumer signing system because of an unexpected race condition, and its presence in the crash dump wasn't detected by Microsoft's credential scanning methods.
How come a consumer key was able to grant access to enterprise mail?
The company has previously said that MSA keys and Azure AD keys are issued and managed from separate systems and should only be valid for their respective systems, but that attackers exploited a token validation issue.
"To meet growing customer demand to support applications which work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018.
As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation - which key to use for enterprise accounts, and which to use for consumer accounts," the company now explained.
News URL
https://www.helpnetsecurity.com/2023/09/07/stolen-microsoft-signing-key/
Related news
- Microsoft: Russian hackers accessed internal systems, code repositories (source)
- Chinese Earth Krahang hackers breach 70 orgs in 23 countries (source)
- CISA shares critical infrastructure defense tips against Chinese hackers (source)
- CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability (source)
- A “cascade” of errors let Chinese hackers into US government inboxes (source)
- U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)