Full Report
Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.
Analysis Summary
# Threat Actor: STORM-0558
## Attribution & Identity
Threat actor attributed to China. Associated with an incident disclosed in July 2023 involving the compromise of Microsoft services.
## Activity Summary
Storm-0558 successfully acquired a private encryption key (MSA key) belonging to Microsoft's MSA tenant in Azure. The actor used this key to forge access tokens, initially impacting Outlook Web Access (OWA) and Outlook.com. Wiz Research determined the compromised key also had the potential to forge tokens for multiple types of Azure Active Directory applications that support personal account authentication, including SharePoint, Teams, and OneDrive, if not properly protected or if applications hadn't updated their verification caches.
## Tactics, Techniques & Procedures
- **Token Forging:** Used a compromised private signing key associated with Microsoft Accounts (MSA) to forge valid access tokens.
- **Exploitation of Token Verification:** Exploited two security issues within Microsoft's token verification process to facilitate unauthorized access.
- **Key Compromise/Acquisition:** Gained access to a cryptographic signing key (MSA Key).
## Targeting
- Sectors: General cloud users leveraging Microsoft services (Exchange Online, Outlook.com, Azure AD applications).
- Geography: Not explicitly specified, but attributed to China.
- Victims: Customers of Exchange Online and Outlook.com were initially impacted. The potential scope included any application supporting "login with Microsoft" functionality.
## Tools & Infrastructure
- Malware families used: Not specified in the summary, focus was on key compromise.
- Infrastructure (C2, domains, IPs): Not specified; the threat leveraged compromised credentials/keys rather than external C2 infrastructure mentioned in this summary.
## Implications
The compromise of an identity provider's signing key is considered extremely high impact, potentially granting an attacker single-hop access to email mailboxes, file services, and cloud accounts across many applications. The inability for many deployed applications to log or detect forged tokens creates a significant blind spot for detection and scope determination.
## Mitigations
- Revoke the impacted encryption key (action already taken by Microsoft).
- Update Azure SDK to the latest version.
- Ensure application caches are updated to prevent the continued acceptance of tokens signed with the previously valid, but now compromised, key.
- Improve logging visibility concerning crucial fields related to token verification processes to aid in future anomaly detection.