Chinese Cyberspies Obtained Microsoft Signing Key From Windows Crash Dump Due to a Mistake

Cyber Security Threat Summary:
In July, Microsoft announced it had mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks. The attack was reported by a customer on June 16, 2023. The investigation revealed that the attack began on May 15, 2023, when Storm-0558 gained access to email accounts affecting approximately 25 organizations, including government agencies as well as related consumer accounts of individuals likely associated with these organizations” (Security Affairs, 2023).

The attackers were able to forge authentication tokens, which they used to access user email using an acquired Microsoft account (MSA) consumer signing key. This week Microsoft released details surrounding how the threat actors gained access to the MSA key.

The company discovered that threat actors stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer’s corporate account. They then used that MSA key to forge tokens to access OWA and outlook[.]com. Then, by exploiting a token validation issue, they impersonated Azure AD users to gain access to enterprise mail.

Security Officer Comments:
The MSA key was accidently leaked in a crash dump after a consumer signing system crashed in April 2021. Microsoft says these crash dumps should not include signing keys, but a race condition allowed the key to be present. This issue has since been fixed by the company. The presence of the MSA key in the dump was not detected by Microsoft, and the dump was moved from the isolated production network into the companies debugging environment which was exposed to the internet-connected corporate network,

“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key.” reads the analysis published by Microsoft.

Microsoft says they don’t have specific evidence of this exfiltration by the actor due to log retention policies, but say this was likely the most probably mechanism by which the threat actors acquired the key.

Suggested Correction(s):
Microsoft has revoked all valid MSA signing keys to prevent attackers from accessing other compromised keys. They have also identified and fixed the race condition that allowed the signing keys to be present in crash dumps. Additionally, the company has enhanced prevention, detection, and response functions for key management. Improved scanning will also help the company better detect the presence of signing keys in the debugging environment.