The breach of a Microsoft engineer's corporate account led to the July hack of senior officials at the US State and Commerce departments, Redmond revealed.
In this cyber espionage campaign a China-based threat actor tracked as as Storm-0558 breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US. The threat actor gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.
Microsoft said at the time that it didn’t know how the threat actors obtained an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts.
Further investigation revealed that the attackers stole the signing key from a Windows crash dump after compromising a Microsoft engineer’s corporate account. The tech giant discovered that the MSA key was accidentally leaked into a crash dump after a consumer signing system crashed in April 2021. The company said the engineer's account had been compromised using “token-stealing malware” but did not elaborate on the matter.
Crash damps should not contain the signing key, however, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by Microsoft’s systems, the company explained, adding that the issue has since been addressed.
“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft said.
The tech giant said that multiple issues that led to the leak of the key have been resolved.