“Chinese Nation-State Actor Expands Attack on Microsoft’s Email Infrastructure: Insights and Recommendations”

h1: Chinese Nation-State Actor Expands Scope of Attack on Microsoft’s Email Infrastructure

h2: Key Details

– Microsoft’s email infrastructure recently targeted by a Chinese nation-state actor known as Storm-0558.
– The attack has a broader scope than initially believed.
– Cloud security company Wiz reveals important information about the attack.

h2: Extended Scope of the Attack

– The attack involved using an inactive Microsoft account (MSA) consumer signing key.
– The key was used to forge Azure Active Directory (Azure AD or AAD) tokens.
– Illicit access to Outlook Web Access (OWA) and other Microsoft services was gained through the forged tokens.
– The attackers could perform various malicious actions, such as reading users’ emails and accessing sensitive information.

h2: Wiz’s Findings

– Wiz explains how the attackers leveraged a chain of vulnerabilities to achieve their goals.
– The initial vulnerability exploited was a weak implementation of a cryptographic function called “HSM signing function” in MSA.
– The exploited vulnerability allowed the attackers to obtain the private keys for MSA.
– With the private keys, the attackers could forge Azure AD tokens and gain access to OWA and other Microsoft services.

h2: Implications and Recommendations

– The broad scope of this attack highlights the importance of robust security measures for email infrastructure.
– Users and organizations should ensure they have strong passwords, enable multi-factor authentication, and regularly update their software.
– Microsoft has since taken steps to mitigate the attack and has invalidated the affected MSA keys.

h2: Summary

In a recent attack on Microsoft’s email infrastructure, a Chinese nation-state actor known as Storm-0558 demonstrated a broader scope than initially believed. Cloud security company Wiz provides important insights into the attack, revealing that the perpetrators used an inactive Microsoft account (MSA) consumer signing key to forge Azure Active Directory (Azure AD or AAD) tokens. With these tokens, they gained illicit access to Outlook Web Access (OWA) and other Microsoft services. Wiz explains that the attackers exploited vulnerabilities in the MSA implementation, allowing them to obtain private keys and forge the tokens. This attack serves as a reminder of the importance of robust security measures for email infrastructure, such as strong passwords and multi-factor authentication. Microsoft has taken steps to mitigate the attack, invalidating the affected MSA keys. Stay vigilant and keep your email security strong!

Original Article: https://thehackernews.com/2023/07/azure-ad-token-forging-technique-in.html