BleepingComputer reports that the Microsoft consumer signing key stolen by Chinese hackers provided them with access far beyond the Exchange Online and Outlook.com accounts that Microsoft initially reported as compromised. This is according to Wiz security researchers. The attackers breached the Exchange Online and Azure Active Directory (AD) accounts of around two dozen organizations by exploiting a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI. This allowed them to forge signed access tokens and impersonate accounts within the targeted organizations.
Wiz security researcher Shir Tamari said that the impact extended to all Azure AD applications operating with Microsoft’s OpenID v2.0. This was due to the stolen key’s ability to sign any OpenID v2.0 access token for personal accounts (e.g., Xbox, Skype) and multi-tenant AAD apps.
In response to the security breach, Microsoft revoked all valid MSA signing keys to ensure that the threat actors didn’t have access to other compromised keys. This measure also thwarted any attempts to generate new access tokens.