AzureGate: Exploit in Microsoft’s System Enables Hackers to Infiltrate Dozens of Organizations Using Fake Azure AD Tokens

Microsoft’s recent announcement revealed a validation error in their source code that enabled a malicious actor known as Storm-0558 to forge Azure Active Directory (Azure AD) tokens using a Microsoft account (MSA) consumer signing key. This breach affected approximately two dozen organizations.

Storm-0558 managed to acquire an inactive MSA consumer signing key and utilized it to create authentication tokens for both Azure AD enterprise and MSA consumer accounts, granting unauthorized access to OWA and Outlook.com. The specific method employed by the actor to obtain the key is currently under investigation.

While the key was originally intended solely for MSA accounts, a validation issue mistakenly allowed it to be trusted for signing Azure AD tokens. Microsoft has since rectified this issue.

It remains uncertain whether this token validation flaw was exploited as a “zero-day vulnerability” or if Microsoft was aware of the problem prior to its exploitation. The compromised attacks targeted around 25 organizations, including government entities and associated consumer accounts, with the objective of unauthorized email access and extraction of mailbox data. No other environments were impacted by this breach.

The U.S. State Department alerted Microsoft to the incident after detecting abnormal email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based threat actor engaged in malicious cyber activities consistent with espionage, although China has denied these allegations.

The primary targets of this hacking group encompass U.S. and European diplomatic, economic, and legislative governing bodies, as well as individuals linked to Taiwan and Uyghur geopolitical interests. Media companies, think tanks, and telecommunications equipment and service providers were also targeted.

This threat actor has been active since at least August 2021 and employs various techniques such as credential harvesting, phishing campaigns, and OAuth token attacks, specifically targeting Microsoft accounts.

Microsoft described Storm-0558 as a highly skilled and well-resourced actor with extensive technical tradecraft and operational security knowledge. They possess a deep understanding of different authentication techniques and applications and are well-versed in the target’s environment, including logging policies, authentication requirements, and procedures.

Initial access to the targeted networks is gained through phishing and exploiting security vulnerabilities in publicly accessible applications. This is followed by deploying the China Chopper web shell for backdoor access and utilizing a tool called Cigril for credential theft facilitation.

Storm-0558 also employs PowerShell and Python scripts to extract email data, including attachments, folder information, and entire conversations, by leveraging Outlook Web Access (OWA) API calls.

Since the discovery of the campaign on June 16, 2023, Microsoft has taken significant actions. They have identified the root cause, established comprehensive tracking of the campaign, disrupted malicious activities, enhanced the security environment, notified all affected customers, and collaborated with multiple government entities. Effective June 26, 2023, Microsoft has mitigated the issue on behalf of their customers.

The full extent of the breach is still uncertain, but this incident serves as the latest example of a China-based threat actor conducting stealthy cyberattacks to obtain sensitive information without detection for at least a month.

Microsoft’s handling of the hack and their decision to limit access to detailed audit logs through additional licensing barriers have drawn criticism. U.S. Senator Ron Wyden was quoted as saying, “Charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”

This disclosure coincides with the release of a comprehensive report by the U.K.’s Intelligence and Security Committee of Parliament (ISC), which highlights China’s highly effective cyber espionage capabilities and its successful penetration of foreign government and private sector IT systems.