![]() ![]() “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens.” “The method by which the actor acquired the key is a matter of ongoing investigation,” the post stated. Later in the post, the researchers said that Storm-0558 acquired an inactive signing key used for consumer cloud accounts and somehow managed to use it to forge tokens for Azure AD, a supposedly fortified cloud service that, in effect, stores the keys that thousands of organizations use to manage logins for accounts on both their internal networks and cloud-based ones. “This was made possible by a validation error in Microsoft code.” “In-depth analysis of the Exchange Online activity discovered that in fact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key,” Microsoft researchers wrote Friday. While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and two others Microsoft published Tuesday, bend over backward to avoid the words “vulnerability” or “zero-day.” Instead, the company uses considerably more amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how nation-state hackers tracked the email accounts of some of the company's biggest customers. “Exploit” means using code or other means to trigger a vulnerability in a way that causes harm to the vendor or others. A “zero-day” is a vulnerability that is known to or exploited by outsiders before the vendor has a patch for it. In standard parlance among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion. Microsoft’s Threat Intelligence team said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. In a post on Friday, the company indicated that the compromise resulted from three exploited vulnerabilities in either its Exchange Online email service or Azure Active Directory, an identity service that manages single sign-on and multifactor authentication for large organizations. On Friday, Microsoft attempted to explain the cause of a breach that gave hackers working for the Chinese government access to the email accounts of 25 organizations-reportedly including the US Departments of State and Commerce and other sensitive organizations. Getty Images | Aurich Lawson reader comments 84 with
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |