Stolen Microsoft key may have opened up a lot more than US govt email inboxes
How does the Azure giant come back from this?
A stolen Microsoft security key may have allowed Beijing-backed spies to break into a lot more than just Outlook and Exchange Online email accounts.
Incredibly as it sounds, and it really does deserve wider coverage, someone somehow obtained one of Microsoft's internal private cryptographic keys used to digitally sign access tokens for its online services. With that key, the snoops were able to craft tokens to grant them access to Microsoft customers' email systems and, crucially, sign those access tokens as the Windows giant to make it look as though they were legitimately issued.
With those golden tokens in hand, the snoops – believed to be based in China – were able to log into Microsoft cloud email accounts used by US government officials, including US Commerce Secretary Gina Raimondo. The cyber-trespassing was picked up by a federal government agency, which raised the alarm.
Microsoft still, to the best of our knowledge, does not know (or isn't publicly saying yet) how this incredibly powerful private signing key was obtained, and has revoked that key.
Here are some quick links
Now it turns out that private key "was more powerful than it may have seemed," according to Shir Tamari, research boss at Wiz, an infosec outfit founded by former Microsoft cloud security engineers.
We're told the private key could potentially have been used to access way more than people's Outlook and Exchange Online accounts. Microsoft has pushed back on that claim.
"Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications," Tamari explained on Friday.
This includes Microsoft applications using OpenID v2.0 access tokens for account authentication, such as Outlook, SharePoint, OneDrive, and Teams, we're told.
Also, according to Wiz, it spans customers' own applications that support the "login with Microsoft" functionality, plus multi-tenant applications configured to use the "common" v2.0 keys endpoint instead of the "organizations" one. Applications using OpenID v1.0 remain safe.
Still, while Microsoft revoked the compromised encryption key and published a list of indicators-of-compromise for those wondering if they've also been hit by Storm-0558, the Wiz kids said it may be difficult for Redmond's customers to know if miscreants used forged tokens to steal data from their applications. Tamari blamed this on the lack of logs related to token verification.
And, it just so happens that Redmond on Wednesday caved to pressure from the US government agreed to provide all customers with free access to cloud security logs – a service usually reserved for premium clients – but not until September.
When asked about Wiz's conclusions — and if more than just email accounts could have been accessed in the attack — a Microsoft spokesperson told The Register:
Many of the claims made in this blog are speculative and not evidence-based. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we've made public.
We've also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.
Microsoft disclosed the attack on July 11. At the time, and in a July 14 update, the Azure titan said the spies used forged authentication tokens to access email accounts for government agencies for espionage purposes.
Here's Redmond's explanation for what happened, from that July 14 missive:
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted.
Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.
According to a Thursday report in the Wall Street Journal, Chinese snoops also accessed inboxes belonging to the US ambassador to China, Nicholas Burns, and Daniel Kritenbrink, the assistant secretary of state for East Asia.
It's still unclear how the spies obtained the private encryption key in the first place.
- Google veep calls out Microsoft's cloud software licensing 'tax'
- Microsoft's Azure mishap betrays an industry blind to a big problem
- Azure blunder left Bing results editable, MS 365 accounts potentially exposed
- Azure issues not adequately fixed for months, complain bug hunters
According to the Wiz security team, the China-based crew looks to have obtained one of several keys used for verifying Azure Active Directory (AAD) access tokens, allowing them to sign as Microsoft any OpenID v2.0 access token for personal accounts along with multi-tenant and personal-account AAD applications.
While Microsoft pulled the compromised key, meaning it can no longer be used to forge tokens and access AAD applications, there's a chance that during previously established sessions attackers could have used this access to deploy backdoors or otherwise establish persistence.
"A notable example of this is how, prior to Microsoft's mitigation, Storm-0558 issued valid Exchange Online access tokens by forging access tokens for Outlook Web Access (OWA)," Tamari wrote.
Additionally, applications that use local certificate stores or cached keys may still trust the compromised key and thus be vulnerable to attack. Because of this, both Wiz and Microsoft urge refreshing those silos at least once a day. ®