Microsoft 365 Breach: Millions of Azure AD Apps at Risk

The Storm-0558 Breach: A Further-Reaching and Impactful Threat

The recent Storm-0558 breach, which granted Chinese advanced persistent threat (APT) actors access to emails within 25 US government agencies, has revealed a potential risk that goes beyond what was initially anticipated. The breach not only put Microsoft cloud services at risk but also highlighted deficiencies in authentication logging practices at many organizations. As a result, it will take weeks, if not months, to determine the full scope of compromise that stems from this situation.

The Email Breach and the Swiped MSA Key

The Storm-0558 APT group managed to obtain access to Microsoft 365 enterprise email accounts and potentially sensitive information by using a stolen Microsoft account (MSA) key to forge authentication tokens. This allowed them to masquerade as authorized Azure Active Directory (AD) users. However, recent research from Wiz suggests that the swiped MSA key could have been used to forge access tokens for multiple types of Azure AD applications.

According to Wiz’s head of research, Shir Tamari, the APT group could potentially have immediate access to any email box, file service, or cloud account. This means that services such as SharePoint, Teams, OneDrive, and customers’ applications that support the “login with Microsoft” functionality are also at risk. Personal Microsoft accounts for services like Skype and Xbox are also vulnerable.

The Lack of Authentication Logging and the Logging Tax

Determining the extent of the Storm-0558 breach is challenging due to the lack of authentication logging at many organizations. There is a lack of standardized practices when it comes to application-specific logging, making it difficult for application owners to detect the use of forged tokens against their applications. Without detailed logs containing the raw access token or its signing key, identifying and investigating such events becomes exceedingly challenging.

This lack of visibility is exacerbated by the fact that advanced logging, which could detect anomalous behavior, has only been available as part of a paid premium service. However, in response to industry pressure, Microsoft has pledged to make access to advanced logging free. While this change is promising, it will take time for customers to implement and use globally.

Azure AD Customers Still at Risk

Despite the revocation of the stolen key, Wiz warns that some Azure AD customers may still be at risk. The Storm-0558 group could have leveraged its access to establish persistence by issuing itself application-specific access keys or setting up backdoors. Additionally, applications that retained copies of the Azure AD public keys prior to the revocation, as well as those relying on local certificate stores or cached keys, may remain vulnerable to token forgery.

To mitigate these risks, Wiz advises organizations to immediately refresh the list of trusted certificates and update their Azure SDKs to the latest version. It is also crucial to ensure that application caches are updated regularly. Microsoft recommends refreshing the cache of local stores and certificates at least once a day.

Implications for Cloud Security and Beyond

The Storm-0558 breach, along with its extensive reach and potential impact on Microsoft cloud services, raises important questions about the trustworthiness of the cloud and its underlying components. The identity layer, which serves as the foundation for everything we do in the cloud, is especially vulnerable in this incident.

As we analyze the full impact of this breach, it is essential to learn from it and strive for improvement. Cloud providers must prioritize security measures and offer robust authentication logging practices to detect and prevent such attacks. Additionally, organizations should continuously update their software and security protocols to stay ahead of emerging threats.

The Storm-0558 breach serves as a sobering reminder that cybersecurity is an ongoing battle. By investing in robust security practices, standardized logging procedures, and increased transparency, we can better protect our digital infrastructure from advanced threats.