The Stack has a July 17 update on this story here.
Microsoft has refused to answer questions about how a threat actor gained access to a Microsoft key used to sign security tokens – and then breach some 25 organisations, including a federal agency’s cloud environment.
The actor used “forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key” said Microsoft, without specifying what it meant by “acquired” – it is plausible that the hacker breached Microsoft’s environment to “acquire” the key.
"We have continuously improved the security of the MSA key management systems since the acquired MSA key was issued, as part of defense in depth, to ensure the safety and security of consumer keys" it added.
The incident was flagged by CISA in a July 12 advisory that noted bluntly that “all mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected” – adding that the breach was only spotted via the use of specific enhanced logging* and that its cloud environment-hardening guidance “will not prevent this or related activity where actors leverage compromised consumer keys.”
Microsoft key acquired, used to pivot to Azure AD users
“The actor used [the] acquired MSA key to forge tokens to access OWA and Outlook.com” Microsoft said, admitting that “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems [but] the actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail” – hinting at Azure security troubles.
Redmond added that the Advanced Persistent Threat (APT) then “exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail” but flatly declined to answer any questions from The Stack about the nature of this “token validation issue”.
“Microsoft has completed mitigation of this attack for all customers” it said in a blog, adding in an emailed response to our questions about the incident that “we have nothing further to share beyond the blog post.”
More grey than Azure?
The incident, attributed by Microsoft to a Chinese APT it dubs Storm-0558, comes a month after Microsoft said that it had developed mitigations” for an Azure Active Directory vulnerability dubbed n0auth.
Under certain circumstances this let an attacker gain full target account takeover by simply replacing an email address in their own attacker-owned Azure AD admin account. This “insecure pattern” exposed Azure AD customers to data leakage and escalation of privileges risk, Microsoft admitted in a June 20, 2023 post, adding that “the risk is mainly with multi-tenant applications [and could] result [in] privilege escalation.”
It also comes 14 months after security researchers at Orca Security exposed a critical (now fixed) Azure cross-tenancy security bug.
This revealed “areas in the service where a huge amount of Microsoft and third-party code runs with SYSTEM permissions, processing customer controlled input. This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation. This is a major attack surface and not consistent with the level of security that public cloud customers expect” Orca said at the time – Microsoft has since made architectural changes, it said in 2022.
Microsoft MSA key issue: Threat detection needs E5
According to a joint advisory by the CISA and FBI, one affected federal agency observed unexpected events in Microsoft 365 audit logs in June 2023. pUpon investigation, Microsoft network defenders deemed the activity malicious and linked it to the China based threat-actor. Microsoft's investigation concluded that the APT actors had accessed and exfiltrated unclassified Exchange Online Outlook data.
(Troublingly for many, the specific logging that caught the incident, CISA notes, requires licensing at the expensive G5/E5 level and “CISA and FBI are not aware of other audit logs or events [other than of E5-available MailItemsAccessed events] that would have detected this activity.”)
Steven Adair, founder of Volexity, a security firm providing incident response, saidresponse said his firm had been called out to one affected organisation.
“Initially the incident was a real head scratcher for us. Investigating incidents and suspect activity in Microsoft 365 and AzureAD is something we do frequently. However, despite a notification from Microsoft regarding unauthorized access, we could not find any corroborating evidence. It turns out our investigation turned up nothing because there was nothing for us to find. The incident was invisible to us with the data at our disposal and this was due to the customer's M365 license level: E3.
“This is likely the most common license level for most orgs…[CISA’s] first recommendation is ‘Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level.’ That is a tough pill to swallow for most organizations due to the cost. IMHO, this log data should be available at all M365 license levels” he added in a social media post.
CrowdStrike’s Head of Intelligence, Adam Meyers had some choice words in response to the incident, saying: "This latest compromise of U.S. and Western European government agencies once again amplifies the systemic risk of Microsoft’s technology, and the crisis of trust their customers face.
"Organizations need to invest in security, having one monolithic vendor that is responsible for all of your technology, products, services and security - can end in disaster. There's a reason federal leaders have been making a public push to pressure software makers to build products that are secure by design. Unfortunately, that message seems to continue to fall on deaf ears in Redmond."
