Microsoft's consumer signature key is stolen by a Chinese hacker group, all of Microsoft's cloud services are under the influence

According to research by security company Wiz, Microsoft's consumer signature key was stolen by a Chinese hacker codenamed 'Storm-0558', enabling access to Exchange Online and Outlook.com accounts. It has been pointed out that

Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog

https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

Stolen Microsoft key offered widespread access to Microsoft cloud services
https://www.bleepingcomputer.com/news/security/stolen-microsoft-key-offered-widespread-access-to-microsoft-cloud-services/

The Storm-0588 series has been known to exist since at least 2016, with Microsoft's consumer signature keys being compromised between June 27th and July 5th, 2023, and confirmed to be malicious. It has been detected that the code has been replaced.

Microsoft says that only Exchange Online and Outlook.com are affected, but the affected organizations include the US Department of State, the Department of Commerce, and government agencies from the US to Western Europe. Wiz researchers say the attack could leverage compromised Microsoft consumer signing keys to impersonate any account of a customer or cloud-based Microsoft application under attack.

'This includes Microsoft managed applications such as Outlook.com, SharePoint, OneDrive, and Teams, as well as customer applications that support Microsoft account authentication, such as applications that allow 'Log in with Microsoft' functionality,' Wiz said. said security researcher Shah Tamari.

'Everything in the Microsoft world leverages Azure Active Directory authentication tokens for access,' Ami Lutoac, CT and co-founder of Wiz, told BleepingComputer.

'An attacker with an Azure Active Directory signing key is the most powerful attacker imaginable because they have access to almost any app as any user. This is the ultimate cyber intelligence shapeshifter superpower,' Lutoac said. Everything in the Microsoft world relies on Azure Active Directory authentication tokens for access.'

Microsoft took note of Storm-0558's tactics and reported that they no longer had access to Microsoft's consumer signing keys. However, Microsoft does not know how Storm-0588 was able to access Microsoft's consumer signature key at the time of writing.

・Follow-up
It turns out that Chinese hackers stole signature keys from Windows crash dumps - GIGAZINE