Microsoft has denied claims that the Chinese threat actors who recently broke into its systems could have cracked its cloud services as well. The company is standing by its previous assessment that it was only Exchange Online and Outlook.com that were compromised, and that it managed to fix the issue and expel the crooks.
In mid-July 2023, Microsoft announced that a threat actor known as Storm-0558, seemingly a Chinese state-sponsored group, managed to access Exchange Online and Azure Active Directory (AD) accounts in roughly two dozen instances affecting, among others, U.S. government agencies. It was later discovered that the US State Department was one of those agencies, and that its cybersecurity experts were the one tipping Microsoft off about the hack in the first place.
To breach the systems, the attackers exploited a zero-day in the GetAccessTokenForResourceAPI, which allowed them to create signed access tokens and impersonate accounts. The zero-day has since been addressed.
However cybersecurity researcher Shir Tamari from Wiz claimed their research determined that all Azure AD applications operating within the company’s OpenID v.2.0 were affected, as the key the crooks used could have signed any OpenID v.2.0 access token.
“This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication, including those who allow the ‘Login with Microsoft’ functionality,” Tamari said.
But Microsoft is adamant this isn’t the case. In a statement shared with the media, the company said “many of the claims made in this blog are speculative and not evidence-based.”
It also says that after the stolen signing key was invalidated, there was no evidence that the same technique was used to access additional accounts. Furthermore, the company claims Storm-0558 changed its tactics, suggesting that the signing keys were no longer a useful tool. Finally, responding to an article on BleepingComputer, the Redmond giant said the flaw only impacted those that accepted personal accounts and had the validation error.
Analysis: Why does it matter?
If Wiz’s analysis is correct and the attackers did have access to more apps than claimed by Microsoft, then the scope of the attack is a lot broader and the ramifications significantly larger. While email accounts undoubtedly held plenty of sensitive information, having access to Microsoft’s cloud storage service OneDrive, as well as instant messaging and online collaboration platform, Teams, would provide the attackers with deeper insight into the operations of Western governments.
Given that the entire goal of the operation was cyber-espionage, this would make it a bigger success and would put infinitely more pressure on Microsoft, but other cloud service providers as well, to tighten up on security and be more transparent about their operations.
On top of that, cloud service providers will now be under more pressure to offer state-of-the-art security solutions to all clients, regardless of their payment plan, or tier. The logging tool that allowed the U.S. State Department to spot the intrusion in the first place was only reserved for the users of “E5” – Microsoft’s highest payment tier. Many other organizations, who didn’t pay for this service, had no way of knowing they had been breached and their data being analyzed.
Late last week, Microsoft confirmed it would be making 31 critically important security logs available to its customers using cheaper cloud service packages, including the email log that the State Department used to spot the attack. Furthermore, the duration of retention for security logs is being extended from 90 to 180 days. The change is expected to take effect in September 2023.
What have others said?
In its analysis, Wiz says the full impact of the incident is “much larger” than initially thought, and says the event will have “long-lasting implications on our trust of the cloud and the core components that support it.”
“At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” the researchers said. “However there are some critical actions items that application owners should perform. The first and foremost is to update their Azure SDK to the latest version and ensure their application cache is updated, otherwise their apps may still be vulnerable to a threat actor using the compromised key.”
Speaking to BleepingComputer, Wiz CTO and Cofounder Ami Luttwak described why the incident is much larger, saying “Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access. An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is the ultimate cyber intelligence’ shape shifter’ superpower.”
On Twitter, some users showed empathy towards Microsoft, saying staying secure must be extremely difficult with so many signals to address, daily. However, not everyone was as empathic, with one user saying “Microsoft has consistently delivered products which are at times found “broken by design” and has not ever had to show any accountability. They investigate, report on, explain, control and justify themselves. A decades long travesty of due diligence.”
If you want to learn more about this attack, make sure to read our initial report. Also, you should read our in-depth guide on what is phishing, what are the best firewalls for an SMB, and our guide on the best malware removal tools right now.