Displaying items by tag: msa signing key theft

In May of 2023 a few sensitive accounts reported to Microsoft that their environments appeared to be compromised. Due to the nature of these accounts, Microsoft dove in and discovered that an expired Consumer Microsoft Account Singing Key had been used to gain access to these tenants. It was more than a bit embarrassing as the list included environments that appear to have been related to their Government Cloud Computing tenants, fortunately on the low side (non-classified). Microsoft quickly responded and says they expelled the threat actor while removing the possibility of using that key again (they identified the thumbprint of the key used).

Published in Security Talk

Last week Microsoft, the FBI, and CISA made disclosed several attacks on Federal Civilian Executive Branch agencies and other targets of a campaign that appeared to be driven by a new threat group out of China. The attack we detected and tracked down using internal logging available to the GCC low-side tenants and with the help of Microsoft. Fortunately, GCC (Government Cloud Computing) Low Side is not supposed to contain or pass any classified information. It is intended to be used by government agencies and contractors that do not need or have authorization to access anything more than routine sensitive information. This does not reduce the seriousness of the attack and does beg the question on how well the tenants were secured by the cybersecurity teams involved, but at least nothing National Security related was compromised.

Published in News