The nasty China hack I covered 11 days ago is even nastier than we’ve been told. Far from being limited to a few messaging apps, the hackers stole a key to open any multi-tenant Azure Active Directory (AAD) app. People use words like poor quality and fiasco.

BTW, AAD recently underwent a weird name change as Enter ID. In today’s SBBlogwatch we wonder if these two events are related.

Without forgetting: Beat it (reggae version).

Storm-0558 Breaks

What is craic? Sergiu Gatlan reportsStolen Microsoft Key Provided Widespread Access:

Still don't know how

The consumer Microsoft signing key stolen by Chinese hackers Storm-0558 gave them access well beyond the Exchange Online and Outlook.com accounts that Redmond says were compromised. This was achieved by exploiting a now fixed zero-day validation issue in the GetAccessTokenForResource API, allowing them to forge signed access tokens and impersonate accounts.

Wiz security researcher Shir Tamari said the impact extended to all Azure AD applications working with Microsoft OpenID v2.0. This was due to the ability of the stolen key to sign any OpenID v2.0 access token [including] multi-tenant AAD applications. While Microsoft said only Exchange Online and Outlook were affected, Wiz says threat actors could use the compromised Microsoft Customer Signing Key to impersonate any account in any impacted cloud-based Microsoft client or application.

Microsoft still doesn’t know how the Chinese hackers stole the Microsoft signing key.

Be fair, the hack only started on May 15th. Jonathan Greig uses the F-wordMicrosoft Dispute Report:

Fiasco

Microsoft and several federal agencies are still investigating the incident. Asked about the report, a Microsoft spokesperson [said] Many claims are speculative and not based on evidence.

Wiz researchers expressed surprise [saying] their blog has been reviewed and validated by the Microsoft Security Response Center team: we collaborated with them on the blog and they helped ensure technical accuracy.

While Microsoft has since revoked the compromised key crackers, they may have taken advantage of the access they gained to establish persistence in a victimized network. There are several outstanding questions about the fiasco, including how and when the hackers obtained the key, and whether other keys were compromised.

The horse’s mouth? Chir TamariThe incident appears to have a wider scope than originally thought:

Critical keys

The compromised signing key was more powerful than it looked and was not limited to these two OWA and Outlook.com services. The compromised MSA key could have allowed the threat actor to forge access tokens for several types of Azure Active Directory applications. [Despite] Revoking certificates from Microsoft, applications that rely on local certificate stores or cached keys [are still] susceptible to token counterfeiting.

Although the compromised key was a private key designed for Microsoft’s MSA tenant in Azure, it was reliable for signing any OpenID v2.0 access token for personal accounts and mixed audience multi-tenant AAD applications. The threat actor could forge valid access tokens and impersonate application users who have signed in with their personal Microsoft account.

Why is it so impactful? Identity provider signing keys are probably the most powerful secrets in the modern world. One can get immediate one-hop access to anything, any mailbox, file service, or cloud account. Cloud service providers need to commit to a higher level of security and transparency about how they protect critical keys like this.

What is that old saying? It’s on the tip of userbinatorlanguage :

People don’t seem to know that old adage that you shouldn’t put all your eggs in one basket anymore. They are in many ways equivalent to certificate authority keys.

Sounds bad that Microsoft let the key work. let’s go rolls his eyes furiously:

Those who have heard about security generate their higher-level keys (the keys used to sign other keys) inside dedicated tamper-proof hardware security modules. The keys can then be used inside said modules but never exported (except perhaps in an encrypted backup).

But it’s Microsoft we’re talking about.

And Microsoft had more than one failure, said Murdoch5:

It had to happen. I still don’t know why the emails were left in an unencrypted state, or why the encryption keys were stored alongside.

The real conversation we need to have is whether it’s time to start taking communications security seriously. The global response to community safety, from various governments, is that it doesn’t matter: you have no right to privacy, and what you say better be approved by the government.

Security and tech conscious people can say “Crypt Crypt Crypt” all day. But if the tools and platforms don’t make this currency accessible, then it’s all crickets in the field.

But should we really put all the blame on Microsoft? This anonymous coward gives no quarter to Redmond:

Over 30 years of getting away with shoddy code makes it clear that customer security isn’t exactly Microsoft’s top priority. Unless someone finds a way to link it to executive bonus protection, that won’t change either.

What price transparency? dx seems deeply impressed:

When Microsoft explained to its customers, “Storm-0558 has acquired an inactive MSA customer signing key”, they should have said, “Storm-0558 has acquired an expired MSA customer signing key.

And when they said, “A validation issue allowed this key to be trusted to sign Azure AD tokens,” they should have said, “Several validation issues allowed this key to be trusted for signing Azure AD tokens.

In the meantime, ecofeco sounds slightly cynical:

Everyone involved will carry on business as usual and nothing will be learned except to make the job more burdensome for sysadmins.

