Friday, 21 July 2023 17:50

Recently Stolen Microsoft Account Signing Keys can be used to Abuse other Microsoft Identification Related Services

Written by

Reading time is around minutes.

After a recent attack on Federal Civilian Execute Branch (FCEB) Agencies by an APT (Advanced Persistent Threat) group currently suspected of being a nation-state group from China, (whew that was a long start), It has come to the attention of some cloud researchers that these signing keys are not just useful for attacking Exchange Online. According to cloud security company Wiz these MSA Keys can be used to forge tokens for anything that relies on Microsoft Azure AD (Entra ID) Identity services.

Wiz has confirmed this although now that they have made this statement it makes sense that this would be the case. Entra ID is THE core component for authentication in the Microsoft Azure world. If you can access a signing key and forge a token (either is an easy task), you should be able to gain access to any service hosted in the Azure cloud, or that relies on Entra ID for authentication. The potential side effects of this could include bypassing authentication protections like MFA and even services like Okta. The signing key allows someone to sign any token for authentication as any user associated with direct Microsoft Service or any Service that relies on Entra ID including third party services.

“With identity provider keys, one can gain immediate single hop access to everything, any email box, file service, or cloud account”
This level of access is why these keys are often so protected. They are closely guarded secrets by any IAM company because of the dangers they pose. Microsoft is still unaware of how this key was acquired, but we do know from their recent statements that they have blocked the known leaked key and revoked all others. This step is only going to protect from any additional leaked keys and does not close any existing gap in protecting the keys and key store. While Microsoft is currently in the news for this breach and data loss, this is not a Microsoft specific issue. As the Wiz team puts it.

“if a signing key for Google, Facebook, Okta or any other major identity provider leaks, the implications are hard to comprehend. Our industry – and especially cloud service providers – must commit to a greater level of security and transparency concerning how they protect critical keys such as this one, to prevent future incidents and limit their potential impact.”
This attack also comes at a time when we are seeing a shift in the threat landscape to edge devices (Firewalls, etc.) and network controls (switches, routers etc.). It is also at a time when there is an increased push towards more complete Identify and Access Management controls that enable a zero-trust environment. It highlights something I have said for years, attackers follow and are aware of changes in the industry, they know what the next budget cycle for their targets are likely to focus on. This understanding allows them to get ahead of the game and prepare for these types of attacks. The compromise of the MSA signing keys is likely just the opening stages of a new attack pattern by the more sophisticated groups out there. These techniques will then filter down to the less sophisticated groups either via sale in a marketplace, or via the ever popular “source code leak”.

No matter how you want to cut this one up, it is a significant new threat vector, and one that most cloud companies are probably not equipped to deal with and one that leaves their clients over exposed and with few tools available to detect and stop it. I share Wiz’s statement, Cloud Service providers, Identity providers and other cloud services, need to up their game in ensure these critical components are better protected from future attack. If they don’t the ever-agile threat group community is sure to ponce.
Stay Safe out there

Read 1010 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.