‘China’ Azure Breach: MUCH Worse Than Microsoft Said

Satya Nadella and President Xi JinpingSatya and Pooh, Sitting in a Tree, K.I.S.S.I.N.G.

The nasty hack ‘by China’ I covered 11 days ago is even nastier than we were told. Far from being limited to a couple of email apps, the hackers stole a key cracking open any Azure Active Directory (AAD) mixed-audience, multi-tenant application. People are using words like “shoddy” and “fiasco.”

BTW, AAD recently suffered a bizarre rebrand as Entra ID. In today’s SB Blogwatch, we wonder if these two events are connected.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Beat it (reggae version).

Storm-0558 Breaks

What’s the craic? Sergiu Gatlan reports—“Stolen Microsoft key offered widespread access”:

Still doesn't know how
The Microsoft consumer signing key stolen by Storm-0558 Chinese hackers provided them with access far beyond the Exchange Online and Outlook.com accounts that Redmond said were compromised. … This was achieved by exploiting a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, allowing them to forge signed access tokens and impersonate accounts.

Wiz security researcher Shir Tamari said that the impact extended to all Azure AD applications operating with Microsoft’s OpenID v2.0. This was due to the stolen key’s ability to sign any OpenID v2.0 access token [including] multi-tenant AAD apps. … While Microsoft said that only Exchange Online and Outlook were impacted, Wiz says the threat actors could use the compromised Microsoft consumer signing key to impersonate any account within any impacted customer or cloud-based Microsoft application.

Microsoft … still doesn’t know how the Chinese hackers stole the Microsoft consumer signing key.

Be fair—the hack only started on May 15. Jonathan Greig uses the F-word—“Microsoft disputes report”:

Microsoft and several federal agencies are still investigating the incident. … When asked about the report, a Microsoft spokesperson [said] “Many of the claims … are speculative and not evidence-based.”

Wiz researchers expressed surprise [saying] their blog “was reviewed and validated” by the Microsoft Security Response Center team: “We collaborated with them on the blog and they helped ensure technical accuracy.”

While Microsoft has since revoked the compromised key … hackers may have leveraged the access they gained to establish persistence in a victim network. … There are several outstanding questions from the fiasco, including how and when the hackers got the key, and whether other keys were compromised.

Horse’s mouth? Shir Tamari—“Incident seems to have a broader scope than originally assumed”:

Critical keys
The compromised signing key was more powerful than it may have seemed, and was not limited to just those two services … OWA and Outlook.com. … The compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications. [Despite] Microsoft’s certificate revocation, applications that rely on local certificate stores or cached keys [are still] susceptible to token forgery.

Although the compromised key … was a private key designed for Microsoft’s MSA tenant in Azure, it … was trusted to sign any OpenID v2.0 access token for personal accounts and mixed-audience … multi-tenant … AAD applications. … The threat actor could forge valid access tokens and impersonate application users who signed in with their Personal Microsoft account.

Why is it so impactful? Identity providers’ signing keys are probably the most powerful secrets in the modern world. … One can gain immediate single hop access to everything—any email box, file service or cloud account. … Cloud service providers must commit to a greater level of security and transparency concerning how they protect critical keys such as this.

What’s that old saying? It’s on the tip of userbinator’s tongue:

People don’t seem to know that old saying about not putting all your eggs in one basket any more. … They are in many ways equivalent to certificate authorities’ keys.

Sounds bad that Microsoft allowed the key to walk. dajames eyerolls furiously:

Those who’ve heard of security generate their top-level keys (the keys used to sign other keys) inside dedicated tamper-proof hardware security modules. The keys can then be used inside the said modules but not exported in any way (except perhaps in an encrypted backup).

But this is Microsoft we’re talking about.

And Microsoft had more than one failing, says Murdoch5:

It was bound to happen. I’m still unclear why the emails were left in an unencrypted state, or why the encryption keys were stored alongside.

The real conversation we need to be having is if it’s time to start taking communication security seriously. The global response to community security, from various governments, is that it doesn’t matter: You have no right to privacy, and what you say better be government approved.

Security and Tech minded people can say, “Encrypt Encrypt Encrypt,” all day long. But if the tools and platforms aren’t making that motto accessible, then it’s all crickets in the field.

But should we really put all the blame on Microsoft? This Anonymous Coward gives Redmond no quarter:

30+ Years of getting away with shoddy code make it clear that the customer’s security isn’t exactly Microsoft’s priority. Unless someone finds a way to connect it to the protection of executive bonuses that isn’t going to change either.

What price transparency? dhx sounds deeply unimpressed:

When Microsoft explained to their customers, “Storm-0558 acquired an inactive MSA consumer signing key,” they should have said, “Storm-0558 acquired an expired MSA consumer signing key.”

And when they said, “A validation issue allowed this key to be trusted for signing Azure AD tokens,” they should have said, “Multiple validation issues allowed this key to be trusted for signing Azure AD tokens.”

Meanwhile, ecofeco sounds slightly cynical:

Everyone affected will just carry on as if nothing happened … and nothing will be learned except to make more busywork for system admins.

And Finally:

Jacko, dubplate style

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Brian Smale (cc:by-sa; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi