Storm-0558: Microsoft breaks its silence on the Chinese threat actor

Microsoft has released the findings of its investigation into the acquisition of a Microsoft account (MSA) consumer signing key by the China-based threat actor Storm-0558 — infamously exploiting the system through zero-day validation issue in the GetAccessTokenForResourceAPI which has now been patched.

Microsoft has a system that generates keys that are used to sign and verify authentication tokens for Microsoft accounts. These keys are very important and should be kept secret, as first reported by BleepingComputer.

In April 2021 though, there was a problem with the system that generated these keys. This problem caused a key to be included in a crash dump file. This crash dump file should not have included the key, but the problem caused it to be there anyway.

“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected),” the report reads.

The crash dump was subsequently moved from the isolated production network to the debugging environment on the internet-connected corporate network. The Storm-0558 actor was able to compromise a Microsoft engineer’s corporate account, which had access to the debugging environment. This is believed to be how the actor acquired the key.

The investigation also found that a misconfiguration in Microsoft’s authentication libraries allowed the consumer key to be used to access enterprise email. This issue has also been corrected.