Windows Cloud Services Exposed Due To Stolen Microsoft Key

Storm-0558 Chinese hackers gained access to the Microsoft consumer signing key, which had broader implications than initially acknowledged. Redmond confirmed the breach of Exchange Online and Azure Active Directory accounts for about two dozen organizations, resulting from exploiting a patched zero-day validation issue in the GetAccessTokenForResourceAPI. Government agencies in the U.S. and Western Europe, including the State and Commerce Departments, were among the affected entities. Wiz security researchers revealed that the stolen key allowed hackers to impersonate accounts across various Azure AD applications, not limited to Exchange Online and Outlook.com, potentially affecting managed Microsoft applications and customer-based Microsoft applications using "Login with Microsoft" functionality. The security experts emphasized the key's immense power, enabling attackers to access almost any app as any user. Read more...