The recent attack on Microsoft’s email infrastructure by Chinese nation-state actors dubbed Storm-0558 is said to be more widespread than previously thought.
According to cloud security firm Wiz, an inactive Microsoft Account (MSA) was used to forge Azure Active Directory (Azure AD or AAD) tokens to gain unauthorized access to Outlook Web Access (OWA) and Outlook.com The consumer signing key in allows attackers to forge access tokens for various types of Azure AD applications.
This includes any application that supports personal account authentication, such as OneDrive, SharePoint, and Teams. Customer applications that support the “Login with Microsoft feature” and multi-tenant applications under certain conditions.
“Everything in the Microsoft world relies on Azure Active Directory authentication tokens for access,” Wiz co-founder and chief technology officer Ami Luttwak said in a statement. “An attacker with an AAD signing key can access almost any app as any user, making it the most powerful attacker imaginable. This is a ‘shape shifter’ superpower.”
Microsoft revealed last week that token forgery techniques were exploited by Storm-0558 to extract unclassified data from victim mailboxes, but the exact profile of the cyberespionage operation remains unclear.
Windows makers said they are still investigating how the attackers obtained the MSA consumer signing keys. However, it is unknown whether this key acted as a master key to unlock data belonging to approximately 24 organizations.
Wiz’s analysis fills in some of the blanks, stating that “all Azure personal account v2.0 applications rely on a list of eight public keys, and all Azure multi-tenant v2 0 application relies on lists.” Out of seven public keys. “
Additionally, Microsoft confirmed that one of the listed public keys (thumbprint: “d4b4cccda9228624656bff33d8110955779632aa”), which had been in existence since at least 2016, was removed from June 27, 2023 to 2023, around the same time that the company announced it. It turned out to be replaced by July 5th. I have revoked my MSA key.
“From this, the compromised keys obtained by Storm-0558, despite being private keys designed for Microsoft’s MSA tenants in Azure, are OpenID v2 for multiple types of Azure Active Directory applications. 0 tokens could have been signed,” said Wiz. He said.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
“Storm-0558 appears to have managed to gain access to one of several keys intended for signing and validating AAD access tokens. was trusted to sign OpenID v2.0 access tokens for “or personal accounts”) AAD applications.
This effectively means that, in theory, a malicious attacker could forge access tokens for use with applications that rely on the Azure identity platform.
Worse yet, the private key obtained will forge a token to authenticate as any user to the affected applications that trust Microsoft OpenID v2.0 Mixed Audience and Personal Account certificates. may have been weaponized by
“An identity provider’s signing key is probably the strongest secret in the modern world,” said Wiz security researcher Shir Tamari. “Identity he provider his key gives him instant, single-hop access to everything from email boxes, files his services, cloud accounts, and more.”
