Folded Cryptosc: Microsoft a Gold Ticket for Chinese Spies

The hacker group, suspected of communicating with Beijing, recently hacked the mailboxes Outlook and Exchange Online, as well as other cloud services of Microsoft. The attackers were able to do this by using a stolen cryptographic key that allowed them to fake access tokens and impersonate the corporation’s employees.

Using these fake tokens, the hackers were able to gain access to the email accounts of high-ranking US officials, including the Minister of Trade Gina Raymondo, US Secretary of State for East Asia Daniel Cretenilbrinka, and Chinese Ambassador Nicholas Burns.

The federal agency of the United States, which had already warned Microsoft, managed to detect the violation. However, Microsoft did not disclose exactly how the hackers obtained the cryptographic key. Soon after the attack was detected, the key was withdrawn by the corporation.

The head of the Wiz Research Department, Shir Tamari, stated that this key was much more powerful than it might initially seem. This claim is credible, as Wiz was founded by former security engineers of Microsoft’s cloud and they have extensive knowledge of the company’s internal workings.

According to a report by Wiz, the stolen key could be utilized to access various Azure Active Directory (AAD) applications, including Microsoft applications that use Openid V2.0 tokens for authentication, such as Outlook, SharePoint, OneDrive, and Teams.

Furthermore, the key could be used with Microsoft clients that support the “Sign in with Microsoft” feature, as well as with multi-user applications configured to use the public endpoint V2.0 instead of the organizational one.

However, Microsoft has denied Wiz’s conclusions and advises its customers to review the company’s own blogs, specifically Microsoft Threat Intelligence, to learn more about the incident and check their environment using the published compromise indicators.

Microsoft publicly acknowledged the attack on July 11. In the update released on July 14, the corporation mentioned that the hackers had used fake access to infiltrate government agencies for the purpose of espionage.

According to the Wiz security team, the Chinese group appears to have obtained one of the several keys used to verify AAD access tokens. This allowed them to sign any Openid V2.0 access tokens for personal accounts, as well as AAD multi-user and personal applications on behalf of Microsoft.

Although Microsoft has revoked the compromised key, preventing it from being used to fake tokens and access AAD applications,

/Reports, release notes, official announcements.