- The China-linked threat actors behind the theft of U.S. State Department and other Microsoft customer emails may have gained access to applications beyond Exchange Online and Outlook.com, according to a report released Friday by Wiz.
- Researchers said the compromised private encryption key may have allowed the hackers to forge access tokens for multiple types of Azure Active Directory applications, including SharePoint, Teams and OneDrive.
- “Many of the claims made in this blog are speculative and not evidence based,” a spokesperson for Microsoft said via email. “We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the indicators of compromise we’ve made public.”
Microsoft earlier this month warned that about 25 customers worldwide, including multiple government clients, were hacked by an advanced persistent threat group that Microsoft calls Storm-0558.
The hackers gained access to sensitive State Department emails as well as, reportedly, emails from the U.S. Commerce Secretary Gina Raimondo, among others. After government officials notified Microsoft about the compromise, the Cybersecurity and Infrastructure Security Agency worked with Microsoft on measures to contain the damage and further investigate how the hackers originally gained access.
The threat actor gained access to an MSA consumer signing key, which allowed it to forge access tokens for Exchange Online and Outlook.com, Microsoft said earlier this month. However, the Wiz research shows that the key provides access to a much wider array of applications.
“Our biggest surprise with this investigation came when we discovered that the threat actor’s impact could be much broader than most of the security community realized – many incorrectly assumed that it was limited to Outlook – and also, that we don’t know the full possible impact,” Nir Ohfeld, senior security researcher at Wiz, said via email.
Wiz researchers worked with Microsoft on the new research report, and organizations should search for forged token usage on any applications that might have been affected. Users should make sure none of the applications use a cached version of Microsoft OpenID public certificates, according to the report. If they do, refresh the cache.
Microsoft recently made security logging data available by default after a backlash from federal officials and rival security firms.