US Senator Wyden demands that Microsoft be held accountable for the cloud services data theft fiasco.
https://www.securityweek.com/us-senator-wyden-accuses-microsoft-of-cybersecurity-negligence/
Not only that but the US Senator Wyden is asking CISA, the Attorney General and the TFC to investigate if:
- The stolen key was properly stored in a Hardware Secure Module, as Microsoft’s advisories recommend.
- If not, why this tech control risk gap wasn’t raised during the certification audits or Microsoft’s internal periodic reviews. (Some fellow auditors would end in hot water…)
- If Microsoft, as a government contractor, failed to follow the required cybersec standards, therefore negligently violating Federal Law.
- If Microsoft Account (service from which the key was stolen), as succesor to Passport, inherits the obligations of “establish and maintain a… comprehensive information security program… to protect the confidentiality and integrity of PII collected from/about consumers”. Those obligations were included in the consent decree for Passport that expired on Dec 2022; but the malpractices that lead to this cyberincident could predate that end-of-contract date, making Microsoft responsible.
Storm-0558 Threat Actor (PRC Nation-State affiliated) was able to acquire an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com.
Though the key was intended only for MSA accounts, a validation issue allowed (!!!) this key to be trusted for signing Azure AD tokens.
Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. The actor used these tokens to retrieve mail messages from the OWA API.
To perform actions over objectives, Storm-0558 uses PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service.
The scripts use the previously stolen highly sensitive hardcoded information such as bearer access tokens and email data to perform the OWA API calls. Owning the API gives the following capabilities:
- Download emails
- Download attachments
- Locate and download conversations
- Get email folder information
For anonymity, this calls are routed through a Tor proxy or several hardcoded SOCKS5 proxy servers.
For obfuscation, several different User-Agents are used when issuing the web requests, different Mozilla, Edge and Chrome version with different webkits.
When the data theft had victimized around 25 (Federal) organizations, it turned out that most of their middle-tier licenses didn’t allow any visibility into the cloud security logs, needed for post-mortem forensics. Brilliant license model.
Even worst, the “validation issue” was more of a severe vulnerability that allowed the attacker a lateral move from the initial customer account compromise to corporate accounts.
The icing of the cake is that (obviously) not only webmail apps where affected. Outlook shares the authentication model with Office 365, Sharepoint, Teams and probably something more I’m not aware of. Oh yeah, OneDrive!
Although the compromised key was revoked, and quoting Shir Tamari (WIZ): “… prior to the revocation, the malicious actor could have leveraged its access to establish persistence. … (by issuing) application-specific access keys or setting application-specific backdoors. Also … applications that rely on local certificate stores or cached keys and still trust the compromised key are susceptible to token forgery.”
An immediate refresh of trusted certificates lists and local stores cache is what the doctor recommends.
Also updating Azure SDK to the last version is a recommended mitigation.
This time it seems that this is going to end very differently to the Solarwinds hack, where Microsoft was able to deflect cyberblame to users.
And I don’t find an appropiate emoticon for this.
