Is it the end ?
Since this event, Microsoft released several elements to inform and support organizations to either get rid of this unauthorized access or to ensure similar other attacks were not ongoing.
The first element is a playbook (10
) with a decision tree, which guides the organization step by step to identify such potential attack and including a configuration guide for Microsoft Sentinel
in order to add the detailed event logs to be analyzed in case of such attack.
They also released a new version of the Microsoft.IdentityModel (12
) and Microsoft.Identity.Web (13
) libraries, used by the developers to integrate and use federated identity providers, such as the Microsoft Identity platform.
In July, Microsoft added more than 30 events and increased the logs default retention period from 90 days to 180 days into Purview Audit Standard
at no additional cost (14
), which will not make it an exclusivity for the highest subscriptions.
As Microsoft has immediately contacted the impacted organizations, this keeps several questions open, and this will certainly not help Microsoft in a context where the US government is working on a cyber security strategy for the cloud (SCuBA project – Secure Cloud Business Applications Project – (2
)) and is working with Microsoft on this topic (4
The essential question is how storm-0558 got access to the private key they used to forge the access tokens ?
This is only yesterday, 6th of September, that Microsoft issued the last results of their investigation. In the article (11
), it is explained that two distinct and not related elements put together made the attack possible :
1.- A crash of a system which generated a dump containing the key, AND, a compromised engineer’s corporate account in their debugging environment which enabled the exfiltration of the key by Storm-0558
2.- No automatic scope validation in the libraries used for token validation, which made enterprise email APIs accepting a consumer key.
Both of these items got corrected, but do we know if only email accounts were impacted ?
At this stage, none of the articles published by Microsoft mentions other applications than the email system. But, because 3rd party applications may have used the previous version of the Azure SDK, these might have been vulnerable too.
To the least, these applications must be updated in order to use the latest version of these packages.
Also, applications storing locally public AAD keys may still be at risk if the cache has not been dumped since the attack. The practice would be to clean this kind of cache every day.