Microsoft Azure and Cloud-Services insecure since … Azure Cloud and cooperating services are insecure: Unrestricted open for attackers?

Wilfried Kirsch[1] und Hartmut Pohl[2]

An unauthorized signature key (created in 2016, expiration date of 2021) has enabled unauthorized people full access to the Azure cloud and cloud-based services as a master key! It was created in 2016 and had already expired in 2021. The attackers had access (probably for years) to presumably all Microsoft cloud applications such as ExchangeOnline, Office365 with Outlook.com, Sharepoint, Onedrive and Teams - as well as third-party applications with the "Sign in with Microsoft" feature. Microsoft has so far published little on the case, not (fully) naming the affected products, so users can hardly protect their data so far.

Almost two years ago, a security vulnerability in Microsoft Cloud Azure was exploited to access such primary keys and thus gain (unauthorized) full access. Although the vulnerability was patched after 14 days, not all of the several thousand users worldwide were informed and - just as in the current case - neither the necessary security measures nor the remaining risks were explained. At the time, the incident was rated as the "worst cloud vulnerability imaginable". The current case surpasses the old one.

In January 2021, it became known that attackers were able to penetrate Microsoft's internal network and view source code via a backdoored version of Versi-on of SolarWind's "Orion". Also, critical security holes in the printer management were not patched for a long time. To what extent these attacks are bases for more recent attacks is also not published.

In the following, the current event is presented and evaluated - as far as the technology is known and facts are published. Overall, Microsoft is accused of being too hesitant to provide information and not making the significance of the case adequately clear. Industry-typical (cloud) errors, bugs, vulnerabilities and which security measures cloud users can take are also addressed.

The healthcare, energy, food, media, communications and finance sectors are likely to be particularly affected.

1.??What has happened so far?

In mid-June, a U.S. government agency detected unauthorized access to your email in online Exchange accounts; these also affected European governmental agencies. It is not known how long the attackers had been active in Microsoft systems at that time.

The US cloud security company Wiz has (according to its own information) now identified the signature key used by the attackers with the help of the fingerprint published by Microsoft. This was used to generate access authorizations and spy on mails from companies and government agencies. It is unpublished when, where and how the attackers were able to read and copy the signature key, and it is also unpublished how the validity check could be bypassed.

Fig.: The compromised key enables (unauthorized) authentication

in any Microsoft and customer application as any user ? WIZ Inc.

Overall, there appear to be several design vulnerabilities in the access control. This leads to the suspicion that the attackers were active in the Microsoft systems for a longer period of time and carefully scouted out and also tried out possible attack paths. Worldwide, attackers of cyber attacks are active in victim systems for an average of 6 months.

Microsoft took initial security measures and blocked the use of the signature key and the tokens generated with it and blocked these perpetrator activities. The signature key was replaced.

2.??Who were the attackers?

At this point, no verifiable attribution to a state (China) and/or to a cyber-crime group (Storm-0558) can be made; naming or attribution cannot be verified. Intelligence experts judge that Microsoft is deliberately naming names and nationalities to distract from its own mistakes and to reassure the public and governments.

Even if proof were provided, prosecution of the attackers would be very costly - although this has been achieved in individual cases in the USA.

3.??Who are the victims?

All companies and government agencies worldwide that use the Azure cloud or Azure cloud services.

4.??What mistakes were made?

The issue is an OpenID signing key for Azure Active Directory (Azure AD or AAD). This is Microsoft's cloud directory service. A signing key was copied without authorization to create digital signatures, which generated a digital signature that was actually only intended for private customer accounts (MSA) also in Azure Active Directory for business customers. A justification for this decision is (so far) unpublished.

This key is presumably also known to security authorities; it may not have been correctly secured there.

5.??Evaluation - what are the risks?

If (finally) the attack is completely (!) analyzed and published (?) and also the attack points, the exploited vulnerabilities are published and patched, but this attack is not yet averted! The attackers could install undetected backdoors in all systems of all customers, in every software, firmware and (as we know from experience) also in the microcode of devices (!), which they can access undetected in the next months and years and read out (espionage) or manipulate (sabotage) data in the systems of all affected companies and authorities.

6.??Recommendations to Microsoft

The 'Secure Development Lifecycle (SDL)' developed by Microsoft employees Steve Lipner (and Michael Howard) should already be used in the first development steps. It is the basis for the standard ISO/IEC 27034 (Application Security). According to the state of the art, the security architecture includes storing important data such as signature keys in a (trusted?) hardware security module (HSM), which should provide protection against copying and manipulation.

Microsoft should recommend security testing (not only penetration testing) and security measures to its customers in a timely manner.

7.??Recommendation to users

Users need a minimum set of security measures to achieve a reasonably secure use of clouds DESPITE insecure environment, insecure cloud(s), etc.

Clouds cannot be 100% secured at all! The minimum measures include an own encryption of the data stored in the cloud. Processing valuable company data unencrypted in a cloud appears to be fundamentally risky.

It is also advisable to implement the security measures laid down in European laws and directives such as the Digital Organizational Resilience Act (DORA) and the Network Information Security 2 (NIS2) directive.

As a precautionary measure, users who have stored personal data should promptly notify the relevant data protection authority.

Users should start by identifying the attack points (vvulnerabilities) exploited by the attackers and identifying backdoors that have since been installed. This works well with a complete security test (not only penetration testing) - even if Microsoft formulates "no customer action is required" and "if you have not been contacted, our investigations indicate that you have not been impacted". It is also essential that every AAD and Microsoft account be checked for unauthorized activity.

Politically, it would be desirable to give users the right to security checks of products such as clouds - i.e., also for other cloud operators.

?

The more explosive the case actually is, the more the impression is created that the implemented security functions are compromised, the greater the interest of Microsoft and the security agencies in keeping details secret. So we will not learn much more.

[1] ?Wilfried Kirsch, Handelsbevollm?chtigter softScheck GmbH, K?ln – St. Augustin, Germany Wilfried.Kirsch@softScheck.com

[2] ??Prof. Dr. Hartmut Pohl, gesch?ftsführender Gesellschafter softScheck GmbH, K?ln – St. Augustin, Germany [email protected]

https://www.heise.de/news/Cloud-Datenbank-GAU-Microsoft-informiert-Azure-Kunden-ueber-gravierende-Luecke-6176601.html

[3] ?https://www.golem.de/news/cosmos-db-tausende-azure-nutzer-von-sicherheitsluecke-betroffen-2108-159178.html

[4] ?https://winfuture.de/news,120336.html

[5] ?https://www.heise.de/news/PrintNightmare-Schon-wieder-eine-Drucker-Luecke-in-Windows-ohne-Patch-6163743.html

[6]?https://www.heise.de/news/Neue-Erkenntnisse-Microsofts-Cloud-Luecken-viel-groesser-als-angenommen-9224640.html?wt_mc=nl.red.ho.ho-nl-daily.2023-07-25.ansprache.ansprache#nav_das_cloud_fiasko_0

[7]???https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

[8]???https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr