Search This Blog

Powered by Blogger.

Blog Archive

Labels

Storm-0558 Breach: Microsoft Breach Risks Millions of Azure AD Apps

The breach may put significant risk on Microsoft cloud services than one could have predicted.


Storm-0558 breach, that enabled the China-based advanced persistent threat (APT) group to access emails of at least 25 US agencies seems to be more notorious than anticipated, since the breach may put significant risk on Microsoft cloud services than one could have predicted.

However, it will take weeks, if not months, to identify the full extent of the real compromise caused by the situation since many firms lack sufficient authentication logging.

Reportedly, the email breach enabled access to Microsoft 365 enterprise email accounts and the potentially sensitive information they contained by forging authentication tokens under the guise of authorized Azure Active Directory (AD) users thanks to a stolen Microsoft account (MSA) key.

There are also speculations that the lost MSA key could have additionally allowed threat actors to forge access tokens for "multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers' applications that support the 'login with Microsoft' functionality, and multitenant applications in certain conditions," as per a research by Wiz published on July 21. 

Head of research at Wiz, Shir Tamari further notes that the APT potentially was fixed in a position to "immediate single hop access to everything, any email box, file service or cloud account."

Scope of the Storm-0558 Breach

After reviving the key earlier in July, Microsoft released indicators of compromise (IoCs) for the email attack. However, assessing if the breach has in fact used the broader access to any of the loads of additional susceptible applications will be a significantly challenging task.

Tamari further explains, "We discovered that it may be difficult for customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process."

This situation sits next to the so-called “logging tax” that first came across as the aftermath of Microsoft’s initial disclosure of the Storm-0558 breach. 

Due to the fact that advanced logging with a feature of detecting suspicious behavior in systems has only been made available to customers with paid premium service, many Microsoft customers have been unable to see how the attacks have affected their companies. Microsoft quickly caved to industry pressure and pledged to make access to advanced logging free, but it will take some time before users everywhere install and use this update.

"Unfortunately, there is a lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key[…]As a result, identifying and investigating such events can prove exceedingly challenging for app owners," wrote Tamari.

While the stakes are still quite high, Yossi Rachman, director of security research for AD security company Semperis noted that the “main concern here is understanding how exactly threat actors were able to get their hands on the compromised Azure AD key, as these types of breaches have the potential of quickly turning into a SolarWinds-scale event."

Impact on Azure AD Customers

Wiz further noted that despite the fact that the key has been recovered, several Azure AD customers could still be at high risk, given that Storm-0558 could potentially have used its access to establish a persistent position through application-specific keys, or setting up backdoors. 

Moreover, applications that might have kept copies of the Azure AD public keys before they were revived, and applications that depend on local certificate stores or cached keys that may not have been updated remain vulnerable to token forging.

"It is imperative for these applications to immediately refresh the list of trusted certificates," Tamari urged. "Microsoft advises refreshing the cache of local stores and certificates at least once a day."

In another post, Wiz mentioned details as to which Azure AD configurations would be vulnerable to attack, and advised organizations to update their application caches and Azure SDKs to the latest versions. 

Tamari further notes, "The full impact of this incident is much larger than we initially understood it to be[…]We believe this event will have long-lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud. We must learn from it and improve."

Share it:

Azure Active Directory

Azure AD

Cyber Attacks

Email Breach

Logging tax

Microsoft

Semeperis

Storm-0558 Breach