News > Cyber-Attacks > CA-General
by Kevin Wood

Microsoft keys stolen by chinese organization had more access than originally thought

 

Chinese hacker group Storm-0558 responsible for attack

Have you heard about the recent Microsoft compromise?  Or how it went from a “simple” Exchange breach to a widespread breach across essentially all Microsoft 365 products?  If not, let’s get you up to speed.

Detection and Mitigation

In the beginning of July, Microsoft was tipped off about odd Microsoft 365 activity by the US Government, prompting an investigation.  The only way the US Government knew about this was thanks to the advanced logging they paid extra for.

Microsoft discovered that on May 15th, 2023, Storm-0558 was able to gain access to the email accounts of about two dozen organizations by forging authentication tokens to user’s email accounts.  

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail” said a Microsoft spokesperson.

Microsoft immediately took action to mitigate the attack vector and found no evidence indicating any further unauthorized access occurred.

The US Government, having been the one that originally detected the intrusion, reported that it had used Microsoft’s advanced logging services to spot the attack.  Microsoft has been widely criticized for charging extra for advanced logging because many believe it should be free, or included with any package you purchase.

Advanced Logging

After the attack, Microsoft worked directly with the US Cybersecurity and Infrastructure Security Agency, better known as CISA, to identify important logging data points that should be provided to the customer for free.  This would allow all customers to be in a better position to detect these types of attacks.

Due to this partnership, Microsoft announced that it would expand premium cloud logging via Microsoft Purview Audit to all customers, and that further logging would become available in September 2023.

“As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise.”

Microsoft is also expanding the default retention period for ‘Audit Standard’ customers from 90 to 180 days.  This will allow customers to have greater historical data to use in an investigation should it be needed.

But wait, there’s more…

While many organizations were still trying to figure out if they were a victim and, if so, to what extent, new reports emerged that further complicated the initial report findings.

A security researcher from Wiz.io, Shir Tamari, reported on Friday, July 21st, 2023, that the stolen tokens gave the attackers access to all Azure AD applications that were authenticating with Microsoft’s OpenID v2.0.  

“This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication, including those who allow the ‘Login with Microsoft’ functionality,” Tamari said.

“Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access,” Wiz CTO and Cofounder Ami Luttwak also told BleepingComputer.

“An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is the ultimate cyber intelligence’ shape shifter’ superpower.”

Thankfully Microsoft revoked all MSA signing keys when the attack was originally discovered which means the attackers would no longer be able to access any resources.

While it’s believed that only two dozen organizations fell victim to the attack, the full scope of the attack may never be known because most customers didn’t pay for Microsoft’s advanced logging service. 

“At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” Tamari concluded today.

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail” said a Microsoft spokesperson.