Microsoft disputes report that Chinese hackers could have accessed suite of programs

Microsoft is disputing a new report that claims hackers may have had access to more parts of victims’ systems than previously known in a campaign that targeted dozens of organizations, including government agencies.

In the attacks, apparent Chinese hackers gained access to the emails of U.S. Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns and Daniel Kritenbrink, the assistant secretary of state for East Asia, ahead of their trip to China last month.

To access the Outlook accounts, they used an inactive consumer signing key to forge authentication tokens for the multifactor authentication service Azure Active Directory.

Researchers from security company Wiz published a report on Friday saying that in addition to accessing Outlook email accounts, the hackers could have used the key to forge access tokens for a variety of Azure programs, like SharePoint, Teams and OneDrive, as well as “customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions.”

“Microsoft have said that Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique, but Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” they said.

“The full impact of this incident is much larger than we initially understood it to be.”

The researchers added that the incident will have “long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud.”

The report goes on to examine how important consumer signing keys are to the Microsoft ecosystem and the range of actions that could be taken if they got into the wrong hands.

The hackers could “have theoretically used the private key it acquired to forge tokens to authenticate as any user to any affected application that trusts” Microsoft’s certificates.

While Microsoft has since revoked the compromised key, Wiz said the hackers may have leveraged the access they gained to establish persistence in a victim network.

As researchers noted, Microsoft and several federal agencies are still investigating the incident, making it difficult to know how exactly other organizations can protect themselves from this kind of attack.

There are several outstanding questions from the fiasco, including how and when the hackers got the key, and whether other keys were compromised.

“At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” Wiz said.

When asked about the report, a Microsoft spokesperson told Recorded Future News that customers should instead read the blogs it has published about the incident and focus on the indicators of compromise that they have provided.

“Many of the claims made in this blog are speculative and not evidence-based,” the spokesperson said.

“We’ve also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.”

Wiz researchers expressed surprised at Microsoft’s response, telling Recorded Future News that their blog “was reviewed and validated” by the Microsoft Security Response Center team.

“We collaborated with them on the blog and they helped ensure technical accuracy,” the Wiz spokesperson said.

The Wiz post ends with a thank you to the Microsoft team for “working closely with us on this blog and helping us ensure it is technically accurate.”

After this article was published, Microsoft sent a follow-up statement that said, “This blog highlights some hypothetical attack scenarios, but we've not observed those outcomes in the wild."

Keeper Security’s Zane Bond noted that while the technical concerns are warranted, the bigger concern is how knowledgeable and well-resourced the attackers were.

“This threat actor knew they had valuable access, and therefore, used it as best they could in the time they had. Lateral movement to other services is one of the most common attacker tactics,” Bond said.

“The cloud is a double edged sword and this event highlights some of both the advantages and disadvantages. Most of the time, it’s a great benefit, because the cloud provider can investigate and resolve these types of intrusions for their customers. However the downside is that a single breach can lead to multiple organizations being compromised, and the threat actor can pick and choose the most valuable targets and data once they are in.”

While CISA has declined to attribute the hack to China, the State Department said last week that it has “no reason to doubt” Microsoft’s assessment that the attack was launched by hackers connected to China’s government.

The Chinese Embassy forcefully denied any involvement in the incident in a statement to Reuters.