Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports
The recent attack on Microsoft’s email infrastructure by a Chinese nation-state actor called Storm-0558 is said to have a wider scope than previously thought.
According to cloud security firm Wiz, an inactive Microsoft account (MSA) consumer signing key used to spoof Azure Active Directory (Azure AD or AAD) tokens to gain forbidden access to Outlook Web Access (OWA) and Outlook.com can also allow adversaries to spoof access tokens for various types of Azure AD applications.
This including any app that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customer apps that support “Login with Microsoft functionality”, and multi-tenant apps under certain conditions.
“Everything in the Microsoft world leverages Azure Active Directory authentication tokens for access,” said Ami Luttwak, chief technology officer and co-founder of Wiz, in a statement. “Attackers with AAD signing keys are the most powerful attackers you can imagine, because they can access almost any application – as any user. It’s a ‘shape-shifting’ superpower.”
Microsoft last week disclosed a token forgery technique exploited by Storm-0558 to extract declassified data from victims’ mailboxes, but the exact contours of the cyber-espionage campaign remain unknown.
The Windows maker says it’s still investigating how adversaries managed to obtain MSA consumer signing keys. But it’s unclear whether the key serves as some kind of master key to unlock access to data belonging to nearly two dozen organizations.
Wiz’s analysis filled some of the gaps, with the company finding that “all Azure v2.0 personal account applications depend on lists 8 public keysand all v2.0 multi-tenant Azure apps with Microsoft accounts enabled depend on the list 7 public keys.”
It was further discovered that Microsoft replaced one of the public keys listed (thumbprint: “d4b4cccda9228624656bff33d8110955779632aa”) that already existed at least since 2016 sometime between June 27, 2023, and July 5, 2023, around the same period the company said it had revoked the MSA key.
“This leads us to believe that even though the compromised key that Storm-0558 obtained was a private key designed for Microsoft’s MSA tenant on Azure, it can also sign OpenID v2.0 tokens for various types of Azure Active Directory applications,” Wiz said.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“Storm-0558 appears to have successfully gained access to one of several keys intended for signing and verifying AAD access tokens. The compromised keys are trusted to sign any OpenID v2.0 access token for personal accounts and mixed audience (multi-tenant or private accounts) AAD applications.”
This effectively means that it theoretically allows a malicious actor to forge access tokens for consumption by any application that depends on the Azure identity platform.
Even worse, the obtained private key can be armed to spoof tokens to authenticate as any user to the affected application that trusts mixed audience certificates and Microsoft OpenID v2.0 private accounts.
“The identity provider’s signing key is probably the most powerful secret in the modern world,” said security researcher Wiz Shir Tamari. “With an identity provider key, one can gain immediate access to anything, any email box, file service or cloud account.”
