Wiz Analysts Claim that MSA Cryptographic Key Allowed Hackers to Break into Many Microsoft Products

MSA cryptographic key
Wiz analysts are confident that the recent theft of Microsoft’s MSA (Microsoft account consumer signing key) cryptographic key from Microsoft could have much more serious consequences than the hacking of Exchange Online and Outlook accounts, which were compromised by the Chinese group Storm-0558. According to experts, the leak affects all Azure AD applications running with Microsoft OpenID v2.0.

Let me remind you that more than two dozen organizations around the world, including government agencies in the United States and Western Europe, became aware of the theft of the MSA key and the attack on Exchange Online and Azure Active Directory (AD) in mid-July 2023.

Then it was reported that in mid-May, attackers managed to gain access to Outlook accounts belonging to about 25 organizations, as well as to some user accounts that were likely associated with these organizations. The names of the affected organizations and government agencies were not disclosed. It is known that among the victims are the US State Department and the country’s Department of Commerce.

As explained by Microsoft, for this attack, the attackers used authentication tokens forged with an MSA (Microsoft account consumer signing key) cryptographic key, which is used to sign the tokens.

Thanks to a 0-day validation issue in GetAccessTokenForResourceAPI, hackers were able to forge someone else’s signed Azure Active Directory (Azure AD or AAD) tokens and impersonate their victims.

MSA cryptographic key

At the same time, Microsoft still has not explained how exactly such an important MSA key ended up in the hands of hackers.

Cloud security firm Wiz now says the issue has affected all Azure AD applications running Microsoft OpenID v2.0. The fact is that the stolen key could sign any OpenID v2.0 access token for personal accounts (for example, Xbox, Skype) and AAD multi-tenant applications under certain conditions.

By the way, we also talked about two sensational 0-day vulnerabilities in Exchange and about not always successful attempts by Microsoft to fix them. In addition, information security specialists reported that these and other problems in Exchange were exploited by attackers from the Lockbit group.

While Microsoft said only Exchange Online and Outlook were affected, Wiz believes the hackers could have used the compromised key to impersonate any account in any affected Microsoft client or cloud application. These include managed Microsoft applications such as Outlook, SharePoint, OneDrive, and Teams, as well as client applications that support Microsoft Account authentication, including those that enable the Login with Microsoft functionality.

Everything in the Microsoft ecosystem uses Azure Active Directory authentication tokens for access. An attacker with an AAD signing key is the most powerful attacker imaginable because he can access almost any application under the guise of any user. This is a real superpower – a cyber werewolf.the researchers explain.

In response to these allegations by researchers, Microsoft representatives reiterated that the company has revoked all MSA keys to ensure attackers do not have access to other compromised keys. And it completely prevents any attempts to create new tokens. The company also says that many Wiz experts’ statements “are speculative and not based on facts.”

After the stolen key was revoked, Microsoft reportedly found no additional evidence pointing to unauthorized access to customer accounts using the same token forgery method. In addition, Microsoft notes that Storm-0558’s tactics have changed, and hackers no longer have access to any signing keys.

At this stage, it is difficult to determine the full extent of the incident, as millions of applications (both Microsoft and customer applications) were potentially vulnerable, and most of them lack the necessary logs to determine if they were compromised.Wiz experts explain.

The fact is that before this incident, logging capabilities were available only to Microsoft customers who paid for the appropriate Purview Audit (Premium) license. Because of this, Microsoft faced serious criticism from the information security community, and experts said that Microsoft itself prevented organizations from quickly detecting Storm-0558 attacks.

As a result, under pressure from the community and the US Cybersecurity and Infrastructure Protection Agency (CISA), the company agreed to expand access to cloud log data for free so that defenders can detect similar hacking attempts in the future.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Volodymyr Krasnogolovy

I'm a journalist, cybersecurity specialist, content manager, copywriter, and photojournalist. With a deep passion for cybersecurity and a diverse skill set, I'm excited to share my expertise through this blog. From researching the latest threats to crafting engaging narratives and capturing powerful visuals, I strive to provide valuable insights and raise awareness about the importance of cybersecurity.

Leave a Reply