Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chinese cyberspies obtained Microsoft signing key from Windows crash dump due to a mistake

Microsoft revealed that the Chinese group Storm-0558 stole a signing key used to breach government email accounts from a Windows crash dump. In July, Microsoft announced it had mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. Storm-0558 threat actors focus on government agencies in Western Europe and […]

China-linked APT Salt Typhoon

Microsoft revealed that the Chinese group Storm-0558 stole a signing key used to breach government email accounts from a Windows crash dump.

In July, Microsoft announced it had mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails.

Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks. The attack was reported by a customer on June 16, 2023. The investigation revealed that the attack began on May 15, 2023, when Storm-0558 gained access to email accounts affecting approximately 25 organizations, including government agencies as well as related consumer accounts of individuals likely associated with these organizations.

The attackers forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.

Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.  

The attackers used an acquired MSA key to forge the tokens to access OWA and Outlook.com. The attackers exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.

Microsoft has now shared a comprehensive technical investigation into the way attackers gained access to the Microsoft account consumer signing key.

The company discovered that threat actors stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer’s corporate account.

Microsoft discovered that the MSA key was accidentally leaked into a crash dump after a consumer signing system crashed in April 2021.

The investigation revealed that the system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The company pointed out that crash dumps should not include the signing key, but a race condition allowed the key to be present in the crash dump (this issue has been fixed by the company). The presence of the key in the dump was not detected by Microsoft and the dump was subsequently moved from the isolated production network into the company debugging environment on the internet-connected corporate network.

“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key.” reads the analysis published by Microsoft. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

The IT giant announced it had revoked all valid MSA signing keys to prevent attackers from accessing other compromised keys. Below are the improvements implemented after the investigation:

  1. Identified and resolved race Condition that allowed the signing key to be present in crash dumps
  2. Enhanced prevention, detection, and response for key material erroneously included in crash dumps
  3. Enhanced credential scanning to better detect presence of signing key in the debugging environment
  4. Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)