Microsoft's signing key was stolen by Chinese hackers who used forged authentication tokens to access user email using a stolen Microsoft Azure consumer signing key. The incident highlights negligent security practices and vulnerabilities in key validity checks. Furthermore, the key was stored in software instead of the system's Hardware Security Module (HSM), indicating a serious breach of security practice. The attack may be connected to the SolarWinds breach, and the long-term consequences of such attacks are being underestimated. Source code theft from infrastructure providers is becoming a preferred method for sophisticated threat actors. #authentication #backdoors #China #cybersecurity #hacking #keys #Microsoft

https://www.schneier.com/blog/archives/2023/08/microsoft-signing-key-stolen-by-chinese.html