A stolen signing key from Microsoft, which allowed attackers to access the emails of governments and other customers using Outlook.com and Exchange Online, provided access to many more cloud services of the tech company and its partners, according to security firm Wiz.
Details of the Breach
The stolen signing key enabled attackers to forge tokens, granting them access to accounts hosted on
Exchange Online, Microsoft reported. However, the tech giant has not yet disclosed how the signing key was stolen.
In addition, two vulnerabilities in the token verification process were exploited, but no details about these have been released yet.
Security firm Wiz claims that the impact is much larger than Microsoft suggests, as the stolen signing key provided access to many more services. Organizations should therefore check for misuse of the stolen key in their environment. “We believe the stolen key was a private key intended for Microsoft’s MSA tenant in Azure, and could also sign OpenID v2.0 tokens for multiple types of Azure Active Directory applications,” the security company stated.
Implications of the Breach
“The signing keys of an identity provider are probably the most powerful secrets in the modern world,” says researcher Shir Tamari. “With the keys of an identity provider, immediate access to everything can be obtained, every mailbox, file service, or cloud account.” Tamari suspects that the attack will have implications for trust in the cloud and the full extent of the incident is difficult to determine, as millions of applications were at risk.
This includes both Microsoft’s own apps and those of customers, most of which have insufficient logging to determine if they have been compromised, according to the researcher.