Part 1: A Brief Overview
In a recent development, Microsoft has reported a cyber-attack
orchestrated by a threat actor known as Storm-0558 that used stolen signing keys enabling forged access tokens to Azure Active Directory or now known as Microsoft Entra. The rather seriousness of this incident will require us to cover it over a few posts so we can understand the breadth and depth of what occurred. This incident underscores the increasing sophistication of cyber threats and the critical role of authentication and identity in cybersecurity.
Let's first understand what tokens and signing keys are in the simplest way so we can create a common understanding of what this attack entails. To increase security of the internet overall, the prevalence of password usage is diminishing over time. One of the core changes to the usage of passwords was the introduction of Tokens. Tokens are a mechanism for services and systems to share authorization and authentication information without exposing personally identifiable information or PII.
Now to generate tokens you must use a pair of keys, with one publicly available, and one only privately available. The private key is used to generate a trustable “signature” that systems can use to verify who the Token is for and what it is allowed to be used for. To uncover the information inside of the Token and to generate these signatures, a private key is required, and one must have the private key and be able to use it as a signing to key. Should this occur, this will allow the threat actor to generate legitimate looking tokens (signatures) that systems will automatically trust. In this incident, specifically what has occurred is the theft of a private signing key.
With the acquired consumer private signing key or MSA key to forge tokens, it provided the the threat actor access to enterprise email on Outlook Web Access (OWA) and consumer email accounts via Outlook.com. Good to note that MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.
Due to this exploit, the threat actor leveraged a second vulnerability that allowed them to move laterally through Microsoft' s authentications systems via an exploit for token validation enabling them to impersonate Azure Active Directory (Azure AD) users and gain access to enterprise mail.
The core concern here is authentication tokens are a crucial aspect of current digital security standards. Think of them as a type of digital passport, granting users access to services and resources globally across the internet. This concept of trust is paramount to the overall system, similar to the trust in Banks. If systemically trust erodes in an authentication provider, it can have a chain reaction affect to its customers that can take months if not years to address and mitigate before the damage is contained.
During Microsoft's mitigation reporting, they have stated that via telemetry indications the threat actor's activities have been blocked. Microsoft has also reported to have taken proactive steps, including blocking the usage of tokens signed with the acquired MSA key in OWA, replacing the key to prevent the threat actor from using it to forge tokens, and blocking usage of tokens issued with the key for all impacted consumer customers.
In addition to these measures, Microsoft has reported to have released improvements to the security of the MSA key management systems and additionally reported to have released defense-in-depth changes to the Microsoft.IdentityModel and Microsoft.Identity.Web libraries.
The incident serves as a stark reminder of the importance of secure authentication mechanisms and the role of identity in cybersecurity. As we continue to navigate the digital landscape, it's crucial to prioritize robust authentication systems and stay informed about the latest threats and mitigation strategies.
We will be covering this in further posts as details are further investigated
And released.