Azure Breach Timeline… Updated
- July 2023: Microsoft disclosed that hackers, tracked as Storm-0558, had been inside its corporate network for over a month and gained access to Azure and Exchange accounts, including those belonging to the US Departments of State and Commerce.
- September 2023: Microsoft revealed that the corporate account of one of its engineers was hacked by a highly skilled threat actor, who acquired a signing key used to hack dozens of Azure and Exchange accounts.
How did Storm-0558 Breach Highly Secured Azure Cloud Clients
Storm-0558, a threat actor group, hacked Azure by obtaining an expired Microsoft account consumer signing key and using it to forge tokens for Microsoft’s Azure AD cloud service. The group managed to compromise a Microsoft engineer’s corporate account, which provided them access to the debugging environment containing the signing key. The key was leaked into a crash dump after a consumer signing system crashed, and due to a race condition, the key was added to the dump. The crash dump was later moved from Microsoft’s isolated production network to its internet-connected corporate debugging environment, where Storm-0558 accessed it.
Using the stolen key, Storm-0558 forged Azure Active Directory (Azure AD) tokens to gain unauthorized access to user emails in around 25 organizations, including government agencies and various consumer accounts hosted on the public cloud. The group targeted Azure and Exchange accounts, several of which were later identified as belonging to the US Departments of State and Commerce.
Azure Breach Prevention Measures
Microsoft has not provided detailed information on the specific measures they are implementing to prevent similar breaches in the future. However, the company is likely to take several steps to enhance its security:
- Strengthening the security of employee accounts, possibly through more robust multi-factor authentication and monitoring.
- Regularly reviewing and updating signing keys and access controls to prevent unauthorized access in the future.
- Enhancing new internal security policies and procedures to minimize the risk of similar breaches.
- Conducting more regular security audits and assessments to identify and address potential vulnerabilities and loopholes in current processes.
It is important to note that the information available on the breach and Microsoft’s response is limited. Further details may emerge as the company continues to investigate and address the incident.
Citations:
[1] https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/
[2] https://arstechnica.com/civis/threads/facing-failure-after-failure-microsoft%E2%80%99s-driver-signing-program-fails-yet-again.1495388/
[3] https://arstechnica.com/information-technology/2022/07/microsoft-details-phishing-campaign-that-can-hijack-mfa-protected-accounts/
[4] https://arstechnica.com/civis/threads/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers.1495636/
[5] https://arstechnica.com/civis/threads/us-senator-blasts-microsoft-for-%E2%80%9Cnegligent-cybersecurity-practices%E2%80%9D.1494849/page-2
[6] https://arstechnica.com/information-technology/2023/02/goanywhere-vulnerability-exploit-used-to-steal-health-info-of-1-million-patients/
[7] https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/
[8] https://arstechnica.com/civis/threads/how-an-unpatched-microsoft-exchange-0-day-likely-caused-one-of-the-uk%E2%80%99s-biggest-hacks-ever.1495096/
[9] https://arstechnica.com
[10] https://arstechnica.com/information-technology/2021/02/microsoft-says-solarwinds-hackers-stole-source-code-for-3-products/
[11] https://arstechnica.com/information-technology/2021/12/solarwinds-hackers-have-a-whole-bag-of-new-tricks-for-mass-compromise-attacks/
[12] https://arstechnica.com/civis/threads/legality-of-employer-mandated-authenticator-apps-on-personal-devices.1453669/
[13] https://arstechnica.com/security/2023/07/how-a-cloud-flaw-gave-chinese-spies-a-key-to-microsofts-kingdom/
[14] https://arstechnica.com/civis/whats-new/posts/583599/
[15] https://arstechnica.com/civis/threads/aws-suffers-third-outage-of-the-month.1481316/
[16] https://arstechnica.com/security/
[17] https://arstechnica.com/civis/whats-new/posts/586822/page-3
[18] https://arstechnica.com/information-technology/2023/02/ai-powered-bing-chat-spills-its-secrets-via-prompt-injection-attack/
