Microsoft Signing Key Stolen by Hackers

Storm-0558 steals Microsoft signing keys.

Microsoft recently learned that a private signing key was stolen and exploited as early as May 15, 2023.

This was first announced on July 11 in this article.

According to Microsoft investigations, the private key was stolen by Chinese hacker(s), Storm-0558, who then used it to forge tokens to access Exchange Online mailboxes of prominent government and NGO figures and agencies. A technique that completely circumvents MFA protection of accounts and is very hard to mitigate.

According to sources, the targets included American and European diplomats and NGOs related to Taiwan and Uyghur interests.

The hack was discovered when anomalous traffic was detected, and the compromised key has since been invalidated.

What Are the Consequences of the Storm-0558 Exploit?

Questions remain on a technical and security level if any other Azure services were compromised apart from email services.

Also, it’s relevant to consider what other private keys could have been compromised during this hack.

This incident is a huge blow to the trustworthiness of Microsoft (and other) cloud services.

Additionally, even though Chinese authorities deny any involvement, this incident is likely to have a negative impact on the already souring relations between China and Western democracies.

US China relations

Exploit Details and Mitigation

You’ll find an update from Microsoft regarding the exploit here.

According to this statement, the last exploit was seen on July 4.

Microsoft has taken the following actions to mitigage this and similar future attacks:

  • On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which mitigated the token renewal being abused.
  • On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
  • On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge tokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit from hardening not present at issuance of the actor-acquired MSA key:
    • Microsoft has increased the isolation of these systems from corporate environments, applications, and users.
    • Microsoft has refined monitoring of all systems related to key activity, and increased automated alerting related to this monitoring.
    • Microsoft has moved the MSA signing keys to the key store used for our enterprise systems.
  • On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.

According to Microsoft, no further customer action is required related to this matter.