Microsoft Cloud Breach: 5 Key Findings From Wiz
Researchers at cloud security vendor Wiz suggest the breach that impacted Microsoft cloud email users was ‘more impactful’ than previously understood.
Microsoft Cloud Breach
The recent compromise of Microsoft cloud email accounts is troubling for a number of reasons, including the fact that multiple U.S. government agencies were among the victims of the China-linked hack. But according to researchers at cloud security vendor Wiz, the impacts of the incident could go much further than previously admitted by Microsoft.
Microsoft has said a stolen Azure Active Directory key was misused to forge authentication tokens and gain access to emails from an estimated 25 organizations. The Redmond, Wash.-based tech giant said it has since fixed an API flaw that helped to enable the hack (though the company said July 14 that it didn’t know how an attacker was able to steal an Azure AD key used in the compromise).
Microsoft has attributed the breach to a hacking group working on behalf of the Chinese government, which the company tracks under the identifier “Storm-0558.” The breach — which is believed to have begun on May 15 — was discovered after a U.S. federal civilian agency “identified suspicious activity in their Microsoft 365 (M365) cloud environment,” and reported it to Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a post.
Several reports have identified the agency as the State Department. Media reports indicate that the Commerce Department was also impacted in the attacks, and that an account belonging to Commerce Secretary Gina Raimondo was among those compromised in the breach.
According to CISA, the data stolen in the attack was not classified, and the number of impacted accounts was minimal. “Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in its post.
Researchers at Wiz, however, suggest that Microsoft customers will want to take another look at the potential impacts from the breach, given their latest findings. “We believe this event will have long-lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud,” wrote Shir Tamari, head of research at Wiz, in a post about the Wiz research team’s findings. In recent years, Wiz has discovered numerous security issues impacting Microsoft cloud platforms including Azure.
In a statement provided to CRN Monday, responding to the Wiz findings, Microsoft said that it has “not observed those outcomes in the wild.”
What follows are five things to know about Wiz’s findings on the Microsoft cloud email breach.
The stolen Azure Active Directory key used in the Microsoft cloud email compromise was initially thought to only have been capable of fabricating access tokens for two Microsoft services — Outlook Web Access and Outlook.com. But the potential uses of the Azure AD key have been “more impactful than we thought,” Tamari wrote in the Wiz post.
Researchers at Wiz have discovered that “the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” he wrote.
In comments provided to BleepingComputer, Ami Luttwak, co-founder and CTO at Wiz, reportedly said that having an Azure AD signing key can provide access to “almost any app – as any user.” A threat actor with this key is “the most powerful attacker you can imagine,” Luttwak reportedly told the outlet.
Ultimately, the “full impact of this incident is much larger than we initially understood it to be,” Tamari wrote.
According to the blog post from Tamari, Wiz researchers have determined that the compromised Microsoft key “could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications.” That includes “every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions.”
“With identity provider keys, one can gain immediate single hop access to everything, any email box, file service or cloud account,” Tamari wrote in the post — adding that “this isn’t a Microsoft specific issue.” In the event that a signing key “for Google, Facebook, Okta or any other major identity provider leaks, the implications are hard to comprehend,” he wrote. “Our industry – and especially cloud service providers – must commit to a greater level of security and transparency concerning how they protect critical keys such as this one, to prevent future incidents and limit their potential impact.”
In addition to uncovering that the Microsoft signing key could have a broader impact and wider implications for customers than previously believed, Wiz researchers also reported discovering a further complication to the issue. That is, detection of forged token usage is tricky, according to Tamari.
“While Microsoft mitigated this risk by revoking the impacted encryption key and publishing attacker IOCs, we discovered that it may be difficult for customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process,” he wrote in the post.
“Unfortunately, there is a lack of standardized practices when it comes to application-specific logging,” Tamari wrote. “Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key. As a result, identifying and investigating such events can prove exceedingly challenging for app owners.”
Assessing The Impact
According to Wiz researchers, given the potentially “broader scope than originally assumed” of the Microsoft cloud email incident, “organizations using Microsoft and Azure services should take steps to assess potential impact,” Tamari wrote.
“Since the threat actor can forge access tokens offline, there is no trail in the Azure portal for token issuance,” Tamari wrote. “The only way for cloud customers to identify whether the key was used to target their apps or users is by reviewing application-specific logs for potentially affected AAD apps. Therefore, application owners who want to protect their systems will have to check whether a forged token has been used against their applications.”
Overall, it’s currently “hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” he wrote. But among the most-critical steps to take for application owners is to update their Azure SDK to the most recent version and make sure that their application cache is up-to-date. “Otherwise their apps may still be vulnerable to a threat actor using the compromised key,” Tamari wrote.
Microsoft responded to the findings in the Wiz blog post in a statement provided to CRN Monday. “This blog highlights some hypothetical attack scenarios, but we’ve not observed those outcomes in the wild,” Microsoft said in the statement.
The company said it recommends that customers review its July 14 post on the incident, in order to “learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we’ve made public.” Microsoft noted that has “also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.”
Microsoft has pledged to make significant changes in response to the attacks, including with its promise that access to a wider set of cloud logs — which were pivotal in identifying the recent cloud email breach — will be made available to customers for free “over the coming months.”
“As our expanded logging defaults roll out, Microsoft Purview Audit (Standard) customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level,” Microsoft said in a recent post. “In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.”
In a comment provided to The Washington Post, a Microsoft spokesperson reportedly said of the Wiz post that “many of the claims made in this blog are speculative and not evidence-based.” Specific claims were not singled out, but the report indicated that Microsoft does not believe attackers went beyond targeted accounts. In addition to Raimondo, other high-profile victims of the attacks included Nicholas Burns, the U.S. ambassador to China, the report said.