According to a recent report published by cloud security company Wiz, Chinese state-sponsored hackers’ recent use of a stolen inactive Microsoft Account (MSA) key may not be limited to attacks on Outlook.com and Exchange as previously stated by Microsoft. Rather, the threat may extend to Azure applications that use Microsoft’s OpenID v2.0, including SharePoint, Teams, and OneDrive. It may also affect millions of Microsoft customer applications that use the “login with Microsoft” function.
The research concluded that the stolen MSA key was issued in 2016 and wasn’t revoked until sometime between late June and July 2023. Most Azure Active Directory applications will no longer accept tokens from the revoked MSA key. However, researchers are concerned that hackers could have leveraged their unauthorized access to services to establish persistence before the key was revoked. Additionally, applications that use local certificate stores or cached keys will still trust the compromised key until the cache is updated.
What’s more, low-tier Azure customers have limited ability to identify if they have been targeted because of a lack of access to cloud security logs. In response to this issue, Microsoft provided expanded access to logs to aid in forensic analysis.
Source: Security Week
Analysis
Should this research prove to be accurate, the impact of a state-sponsored cyber actor having access to an MSA key, potentially since 2016, capable of signing access tokens for millions of applications, will be significant. It could take weeks, possibly months, for organizations and application developers to identify accounts that may have been accessed without authorization and eradicate persistence mechanisms that may have been deployed.
Currently, Microsoft has only confirmed that the stolen MSA key was used to forge tokens for Outlook.com and Exchange Online and only affected 25 victim organizations. Microsoft says it continues to investigate how the key was obtained and how the inactive key was still able to be used to forge tokens. It’s highly likely that Microsoft will issue a new statement regarding this new research to confirm whether the scope of the forged token attack is significantly larger than it initially stated.
This case highlights the importance of securing and rotating MSA keys, and secret keys writ large, regularly so that they don’t fall into the hands of malicious actors—or if they do, there’s limited time to abuse them before they expire.
Mitigation
Covalence users are automatically notified when suspicious activity is detected in their cloud environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that Azure users update the Software Development Kit (SDK) of their Azure application as soon as possible. In addition, cached versions of the Microsoft OpenID public certificates should be manually refreshed.
For added situational awareness, Azure users may wish to search cloud logs for forged token usage and leverage the Indicators of Compromise (IoCs) published by Microsoft.
References
