The July attack on Azure and Exchange accounts is gaining new details.
Microsoft yesterday revealed details of the hacking of its corporate network, which became known in July. Then it was reported that hackers from the Storm-0558 group were inside the company's networks for more than a month and gained access to many Azure and Exchange accounts, several of which belonged to the US State Department and the US Department of Commerce.
Storm-0558 was able to do this by stealing the expired signature key of Microsoft consumer accounts and using it to forge tokens for the Active Directory cloud service.
Now it has become known that the corporate account of one of the Microsoft engineers was previously hacked. This is how the attackers got access to his signature key.
According to Microsoft, such keys are trusted only to employees who have passed verification and use special workstations with multi-factor authentication. But in April 2021, one of these stations failed, as a result of which the key got into the corporate environment in a memory dump file.
As for using the key to access corporate services, the problem was that when combining consumer and corporate cloud services in 2018, the company did not implement correct cryptographic key validation.
Because of this, the system accepted requests for access to corporate mail with tokens signed with a consumer key. This problem has now been fixed.
Microsoft also said that in about 25 organizations, one or more accounts were hacked during a malicious campaign that began on May 15 and lasted until June 16. Microsoft didn't know about the massive hack until customers informed it.
The corporation described the Storm-0558 group as advanced attackers based in China, whose actions and methods correspond to the purposes of espionage.
According to Microsoft, the group targets a wide range of organizations. These include: U.S. and European diplomatic, economic, and legislative governments, individuals associated with Taiwanese and Uighur geopolitical interests, media companies, think tanks, and telecommunications equipment and service providers.
Shortly after the July hack, many criticized Microsoft for its lack of transparency regarding the investigation. The data released by the company yesterday is a big step in terms of responsibility to customers. Although the Redmond corporation still has a lot of work to do in this direction.
Microsoft yesterday revealed details of the hacking of its corporate network, which became known in July. Then it was reported that hackers from the Storm-0558 group were inside the company's networks for more than a month and gained access to many Azure and Exchange accounts, several of which belonged to the US State Department and the US Department of Commerce.
Storm-0558 was able to do this by stealing the expired signature key of Microsoft consumer accounts and using it to forge tokens for the Active Directory cloud service.
Now it has become known that the corporate account of one of the Microsoft engineers was previously hacked. This is how the attackers got access to his signature key.
According to Microsoft, such keys are trusted only to employees who have passed verification and use special workstations with multi-factor authentication. But in April 2021, one of these stations failed, as a result of which the key got into the corporate environment in a memory dump file.
As for using the key to access corporate services, the problem was that when combining consumer and corporate cloud services in 2018, the company did not implement correct cryptographic key validation.
Because of this, the system accepted requests for access to corporate mail with tokens signed with a consumer key. This problem has now been fixed.
Microsoft also said that in about 25 organizations, one or more accounts were hacked during a malicious campaign that began on May 15 and lasted until June 16. Microsoft didn't know about the massive hack until customers informed it.
The corporation described the Storm-0558 group as advanced attackers based in China, whose actions and methods correspond to the purposes of espionage.
According to Microsoft, the group targets a wide range of organizations. These include: U.S. and European diplomatic, economic, and legislative governments, individuals associated with Taiwanese and Uighur geopolitical interests, media companies, think tanks, and telecommunications equipment and service providers.
Shortly after the July hack, many criticized Microsoft for its lack of transparency regarding the investigation. The data released by the company yesterday is a big step in terms of responsibility to customers. Although the Redmond corporation still has a lot of work to do in this direction.
