San Francisco, Sep 9 (IANS) China-backed hackers stole a Microsoft digital consumer key to gain unfettered access to US government mail, It and the tech giant have revealed how the cybercriminals pulled off one of the biggest heists in corporate and government circles.
Storm-0558, a threat actor based in China, forged fake tokens to access OWA (Outlook Web App) and Outlook.com using a Microsoft account (MSA) consumer key that was obtained.
Before this week, when Microsoft finally revealed the five distinct problems that eventually resulted in the release of the consumer email signature key, it was unclear how the hackers were able to obtain the key for consumer emails.
After all of this in April 2021, a gang of Chinese espionage known by Microsoft as Storm-0558 penetrated the account for a Microsoft engineer’s corporation. Though it hasn’t disclosed how the malware infection happened, Microsoft says that the target engineer’s account was also compromised using a stolen access token from a compromised machine.
The snapshot image was “subsequently moved from the isolated production network into our debugging environment on the internet-connected corporate network” to ascertain the cause of the system crash. Microsoft claimed that while this was in line with its standard debugging process, its credential scanning methods also did not work to detect the key in the snapshot image 3.
Later, Microsoft claimed that the Storm-0558 hackers were able to “successfully compromise” a Microsoft engineer’s corporate account sometime after the snapshot image was sent to Microsoft’s corporate network in April 2021, It had access to the debugging setting where the consumer signing key was kept in the snapshot image. Microsoft said that it cannot be assured that this was the method used to steal the key because “we don’t have logs with specific evidence of this exfiltration,” but said this was the “most probable mechanism by which the actor acquired the key.”
Mystery solved? Not quite
Microsoft’s admission that the consumer signing key was probably stolen from its systems puts an end to the notion that the key may have been obtained somewhere else.
However, it’s still unclear exactly how the intruders gained access to Microsoft. When reached for a response, Microsoft’s Jeff Jones, a senior director, told TechCrunch that the engineer’s account had been stolen by “token-stealing malware,” but he declined to explain.
Malicious links or phishing emails can spread token-stealing malware, which seeks for session tokens on a victim’s PC. Small files called session tokens allow users to stay in persistent log-in status without having to constantly input their password or undergo two-factor authentication. As a result, without needing for the user’s password or two-factor code, stolen session tokens can give an attacker access to the same access as the user.
It uses a similar attack method to the one used by Lapsus$, a group of teenage hackers who broke into Uber last year and used malware to obtain session tokens or employee passwords. A similar attack against software company CircleCi occurred in January as a result of the antivirus software’s failure to detect token-stealing malware on an engineer’s laptop. After hackers gained access to the company’s cloud storage through a lastPass developer’s infected computer, LastPass also experienced a significant data breach involving the password vaults of its clients.