On Friday, it was revealed that all Azure AD applications operating with Microsoft OpenID v2.0 were affected.
Chinese hackers have recently attacked Microsoft's email infrastructure with Storm-0558, a more widespread attack than the previous one.
On Friday, it was revealed that all Azure AD applications operating with Microsoft OpenID v2.0 were affected. The stolen key could be used to sign all OpenID v2.0 access tokens, including personal accounts (such as Xbox and Skype) and multi-tenant AAD applications.
According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (AAD or Azure AD) tokens to gain illicit access to Outlook Web Access (OWA), and Outlook.com might also have permitted the adversary to forge access tokens for several different types of Azure Active Directory applications.
Ami Luttwak, chief technology officer and co-founder of Wiz, said that this is the ultimate cyber intelligence shapeshifter superpower. The compromised Azure AD private key is powerful enough to impersonate any account within the impacted customer or cloud-based Microsoft application.
Tamari said that this includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, and customer applications that support Microsoft Account authentication, including those who allow Login with Microsoft functionality.
The Company is still investigating how the adversary acquired the MSA consumer signing key. However, it is unclear whether the key is a master key used to unlock data belonging to nearly two dozen organisations. Upon further analysis, Wiz discovered that all Azure personal account v2.0 applications require a list of 8 public keys, and all Azure multi-tenant v2.0 applications require a list of 7 public keys.
Microsoft revoked all valid MSA signing keys in response to the security breach. Redmond also relocated the newly created access tokens to the Company's enterprise key store, preventing any attempts to generate new access tokens.
In addition, Microsoft reported seeing a shift in Storm-0558 tactics, where no signing keys were accessible.
Microsoft faced criticism for impeding organisations from promptly detecting Storm-0558 attacks because these logging capabilities were only available to customers of Purview Audit (Premium).
The full extent of the incident is difficult to determine at this point because millions of applications were potentially vulnerable, including Microsoft and customer apps. Tamari added that most of these apps do not have sufficient logs to determine whether or not they have been compromised.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?