Microsoft announced on 14.07.2023 about reported a security incidentwhich affected Exchange Online and Outlook.com customers. According to Microsoft, the Chinese hacker group Storm-0558 has managed to get their hands on a private key for generating access tokens for Exchange Online and Outlook.com. With the private key, the hackers were able to forge access tokens for OWA and Outlook.com and thus gain access to the data. The hackers probably gained significant access to the data of European government agencies.
At first glance, this reads like a standard security vulnerability that has been exploited by clever hackers to gain access to data from Exchange Online - not nice, but it can happen. However, more details are slowly coming to light and revealing the true extent of this vulnerability or security incident.
First of all, hackers have managed to get hold of a Microsoft signature key, with which it was possible to create fake access tokens for Exchange Online and thus access customer data. This in itself is a pretty big deal, as extremely critical keys must be specially protected and must not fall into the wrong hands under any circumstances. In this case, however, that is exactly what happened. Microsoft has not said how the hackers were able to capture the key. Hopefully Microsoft was able to trace the path and close the original vulnerability. However, I have not yet found any information on this.
The next big thing is the fact that Microsoft was made aware of the hacker attack by a US authority and did not realize itself that its own private key was being misused. The US authority was able to determine discrepancies in access to the mailboxes on the basis of logs. Incidentally, these logs are not available to everyone, but were previously an additional paid service. Without the logs, it was therefore impossible to detect this attack. Microsoft has reacted here and will in future offer all customers Access to the logs an. Für mich riecht dies ein bisschen wie das Auslagern der Verantwortung an den Kunden. Ich solle doch als Kunde bitte zukünftig selbst feststellen, wenn der globale SaaS Dienst Exchange Online gehackt wird…
However, the full extent of this incident is slowly becoming known. The signature key made it possible according to the security company WIZ nicht nur den Zugriff auf Exchange Online und Outlook.com Postfächer sondern auch SharePoint Online, Teams und OneDrive. Es kommt aber noch herber, denn möglicherweise war es mit dem Schlüssel auch möglich, Zugriffstokens für an das Azure AD angeschlossene Anwendungen zu erstellen. Wenn man sich mal überlegt was so alles über das Azure AD authentifiziert wird, dann wächst der Wunsch auf eine einsame Insel auswandern zu wollen. Wenn es sich bei dem Signaturschlüssel um eine Art Masterkey für das Azure AD handelte, dann könnte beispielsweise auch der Zugriff auf Exchange on-Prem (via Modern Hybrid Auth), Azure Cloud Ressourcen, andere Cloud Services via Federation und on-Prem Server via Azure Arc möglich gewesen sein. Dies ist allerdings bisher nicht bestätigt worden und ich hoffe dass sich dies auch nicht bewahrheitet. Gut das Azure AD gerade in Entra ID unbenannt wurde, so bleibt der „Schmutz“ an Azure AD hängen und nicht am neuem Namen…
Selbst wenn aber nicht mit diesem einem Schlüssel quasi er Zugriff auf sämtliche Microsoft Cloud Ressourcen möglich war, stellt sich aber die Frage, gibt es solche Schlüssel? Gibt es quasi den einen Master Key für alle Azure Dienste und wenn ja, wie wird denn dieser Key geschützt? Das wäre ja das Golden Ticket der Microsoft Cloud Welt, denn diese Art von Signaturschlüsseln machen alle Mehrfachauthentifizierungs- und Zugriffsrichtlinien wirkungslos. Darüber möchte ich lieber nicht weiter nachdenken…
Fortunately, these are just my unfounded theories so far, but Microsoft's sparse information policy does not build much trust. There can and will always be security vulnerabilities that lead to serious security incidents, but Microsoft should play its cards close to its chest and act with the utmost transparency, otherwise such incidents will quickly acquire a very bad taste. And no, it doesn't help to offer a log service to customers free of charge. After all, as a customer, I am not responsible for monitoring Microsoft's private keys.
