Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft security key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.
“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,” Wiz researcher Shir Tamari said in a document posted online.
Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.
When Microsoft acknowledged the hack and the stolen MSA key, the software giant said Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique but new research shows that “this incident seems to have a broader scope than originally assumed.”
“Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” the company said in a document that provides technical evidence that the stolen MSA key could have been used to forge access tokens Azure Active Directory applications, SharePoint, Microsoft Teams and Microsoft OneDrive.
“Organizations using Microsoft and Azure services should take steps to assess potential impact [beyond email],” Tamari said.
The Wiz research follows news that Chinese hackers were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license.
Earlier this week, Microsoft bowed to public pressure and announced it would free up access to cloud security logs and expand logging defaults for lower-tier M365 customers to help with post-incident forensics.
However, Wiz’s Tamari is cautioning that it may be difficult for Redmond’s customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process.
Although Microsoft has revoked the compromised key, meaning that Azure Active Directory applications will no longer accept forged tokens as valid tokens, Tamari says some problems remain.
“Tokens with extended expiration dates will also be rejected by these applications. However, during previously established sessions with customer applications prior to the revocation, the malicious actor could have leveraged its access to establish persistence. This could have occurred by leveraging the obtained application permissions to issue application-specific access keys or setting up application-specific backdoors,” he added.
“We believe this event will have long lasting implications on our trust in the cloud and the core components that support it,” Wiz said, noting that it’s very difficult to determine the full extent of the incident.
“There were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” the company added.
Wiz’s Tamari is recommending that Microsoft customers urgently update Azure SDK deployments to the latest version and ensure application cache is updated to mitigate the risk of a threat actor using the compromised key.
Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails
Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs
Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available
Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits