Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Azure AD. Show all posts

Storm-0558 Breach: Microsoft Breach Risks Millions of Azure AD Apps


Storm-0558 breach, that enabled the China-based advanced persistent threat (APT) group to access emails of at least 25 US agencies seems to be more notorious than anticipated, since the breach may put significant risk on Microsoft cloud services than one could have predicted.

However, it will take weeks, if not months, to identify the full extent of the real compromise caused by the situation since many firms lack sufficient authentication logging.

Reportedly, the email breach enabled access to Microsoft 365 enterprise email accounts and the potentially sensitive information they contained by forging authentication tokens under the guise of authorized Azure Active Directory (AD) users thanks to a stolen Microsoft account (MSA) key.

There are also speculations that the lost MSA key could have additionally allowed threat actors to forge access tokens for "multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers' applications that support the 'login with Microsoft' functionality, and multitenant applications in certain conditions," as per a research by Wiz published on July 21. 

Head of research at Wiz, Shir Tamari further notes that the APT potentially was fixed in a position to "immediate single hop access to everything, any email box, file service or cloud account."

Scope of the Storm-0558 Breach

After reviving the key earlier in July, Microsoft released indicators of compromise (IoCs) for the email attack. However, assessing if the breach has in fact used the broader access to any of the loads of additional susceptible applications will be a significantly challenging task.

Tamari further explains, "We discovered that it may be difficult for customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process."

This situation sits next to the so-called “logging tax” that first came across as the aftermath of Microsoft’s initial disclosure of the Storm-0558 breach. 

Due to the fact that advanced logging with a feature of detecting suspicious behavior in systems has only been made available to customers with paid premium service, many Microsoft customers have been unable to see how the attacks have affected their companies. Microsoft quickly caved to industry pressure and pledged to make access to advanced logging free, but it will take some time before users everywhere install and use this update.

"Unfortunately, there is a lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key[…]As a result, identifying and investigating such events can prove exceedingly challenging for app owners," wrote Tamari.

While the stakes are still quite high, Yossi Rachman, director of security research for AD security company Semperis noted that the “main concern here is understanding how exactly threat actors were able to get their hands on the compromised Azure AD key, as these types of breaches have the potential of quickly turning into a SolarWinds-scale event."

Impact on Azure AD Customers

Wiz further noted that despite the fact that the key has been recovered, several Azure AD customers could still be at high risk, given that Storm-0558 could potentially have used its access to establish a persistent position through application-specific keys, or setting up backdoors. 

Moreover, applications that might have kept copies of the Azure AD public keys before they were revived, and applications that depend on local certificate stores or cached keys that may not have been updated remain vulnerable to token forging.

"It is imperative for these applications to immediately refresh the list of trusted certificates," Tamari urged. "Microsoft advises refreshing the cache of local stores and certificates at least once a day."

In another post, Wiz mentioned details as to which Azure AD configurations would be vulnerable to attack, and advised organizations to update their application caches and Azure SDKs to the latest versions. 

Tamari further notes, "The full impact of this incident is much larger than we initially understood it to be[…]We believe this event will have long-lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud. We must learn from it and improve."

Azure AD 'Log in With Microsoft' Authentication Bypass at Risk


Organizations that have adopted the “Log in with Microsoft” feature to their Microsoft Azure Active Directory setups may be exposed to an authentication bypass, which might lead to account takeovers of online and cloud-based accounts.

Descope researchers have labeled the attack as “nOAuth”. The campaign, according to them is an authentication implementation flaw that affects multitenant OAuth apps in Azure AD, Microsoft's cloud-based identity and access management service. If the attack is successful, the threat actor could then take over their victim’s accounts, enabling them to create persistence, exfiltrate data, determine whether lateral movement is feasible, and other activities.

According to Omer Cohen, CISO at Descope ”OAuth and OpenID Connect are open, popular standards which millions of Web properties already use[…]If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted.”

About nOAuth Cyberattack Threat

OAuth is an open source, token-based authorization framework that enables users to log into applications automatically based on prior authentication to another reputable app. Most consumers are already familiar with this thanks to the "Log in with Facebook" or "Log in with Google" choices seen on numerous e-commerce websites.

OAuth is used in the Azure AD environment to control user access to outside resources including Microsoft 365, the Azure portal, and thousands of other SaaS applications that support OAuth apps.

According to Descope analysis "Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols."

As per an issue of Descope analysis, published this week, the flaw allows malicious actors to do cross-platform spoofing by only needing an unknowing victim's email address to mimic them. The email attribute under "Contact Information" in an Azure AD account can therefore be changed at will to control the email authentication claim by anyone with malicious intent and a reasonable level of platform expertise.

"[This] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate[…]They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication," the researchers noted.

Incorrect Implementation of OAuth

Incorrect implementation of OAuth has apparently turned into a business, urging organizations to shut down this potentially harmful attack vector.

Some recent cases of the attack include vulnerabilities in the authorization system of the Booking.com website. The attack could have allowed attackers to access user accounts and acquire their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

Another case came to highlight when a bug, tracked as CVE-2023-28131 was discovered in the OAuth implementation of Expo, an open-source framework for developing native mobile apps for iOS, Android, and other Web platforms which was apparently utilizing a single codebase. This vulnerability was the reason why online users were at risk, those who logged in to an online service that employs the framework using different social media accounts.

Cohen notes that the OAuth standard and other such standards are reliable and strong authentication approaches. However, organizations must ensure to collaborate with cybersecurity and authentication professionals when adopting them.

"These standards are extremely complicated to work with[…]Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application," says Cohen. He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts".

Moreover, he emphasized its importance, since threat actors are constantly on a lookout for these types of vulnerabilities.