Losing The Keys To The Castle: Azure Key Breach Should Worry Every Organisation

What is often the most expensive cybersecurity threat to recover from? A breach in the trust infrastructure. Research has shown that it can…

Losing The Keys To The Castle: Azure Key Breach Should Worry Every Organisation

What is often the most expensive cybersecurity threat to recover from? A breach in the trust infrastructure. Research has shown that it can cost a large company, on average, around £150 million to fix the problem. One of the most significant events happened when RSA had their seed keys stolen for their SecurID tokens. These were used for two-factor authentication with key fobs and which meant that these devices could not be trusted anymore. As these were often used in highly secure environments, companies had to find every place where a fake device could have been used and revoke access for existing devices.

The focus for this is a loss of the trusted signing keys — typically the private key which is used to digitally sign things. As a worst case, this can be the private key which is used to sign for trusted software, such as with the SolarWinds hack, or for digital credentials.

In most single sign-on systems now, we integrate into a Cloud-based authentication system, such as to use Teams or SharePoint. For this Bob will identify himself with his credentials — such as from his Username and Password and from a OTP (One Time Password). The system then has a key pair to digitally sign Bob’s access token and does this either with a MAC-based signature (such as generated from a secret passphrase) or with public key encryption. For a secure infrastructure, the best approach is to use public key encryption, where a private key signs the accesses, and a public key then validates Bob’s rights. A breach of the private key could thus cause a great deal of damage to the system, as Eve could digitally sign access for the Administrator level.

A key element of this is the use of customer-managed keys and Microsoft-managed keys. Normally the customer looks after the customer-managed keys, but Microsoft is responsible for their keys. The Microsoft keys are then used for generalised access to applications such as Teams and SharePoint, while customer-managed keys allow for access to specific applications within an organisational network. The loss of the Microsoft keys is thus a major problem, as it can allow an adversary high-level access to the network.

Figure 1: Token signing

But, what happens when your cloud provider has the trusted key for their application stolen? Well, this has just happened with Microsoft releasing that the Storm-0558 Chinese adversaries have access to Cloud signing keys. These keys are known as the Microsoft Account (MSA ) consumer signing key.

For this, the adversaries accessed Exchange Online and Outlook.com accounts on 12 July 2023, along with accessing the Azure Active Directory (AD) accounts of a number of organisations [here]. This included the US State and Commerce Departments and involved the use of a zero-day validation vulnerability in GetAccessTokenForResourceAPI. This created forged signed access tokens, which could impersonate accounts. The vulnerability also allows the signing of OpenID v2.0 access tokens.

Overall, the great worry here is that Azure Active Directory is now integrated into the IT infrastructure for access tokens, and which is possibly one of the most pervasive attacks, and where a single forged access token with high access rights could allow access to virtually every part of the networked infrastructure — including Administrator access. This is because the affected applications are the ones which Microsoft hosts, such as for Outlook, Office, SharePoint and Teams.

Conclusions

So, what is the mitigation? Well, the only way is to revoke the breached keys and where they are not trusted any more. What else? Well, the Cloud allows for extensive logging for key access and to trace whenever keys are used. For Microsoft, they have ramped up the logging of the previous keys and the new ones in order to detect a breach. Microsoft is making access to these logging facilities with a licence.

So, logging access to your private keys is fundamentally important, and to put them in an HSM (Hardware Security Module)! The days of hacking hashed password lists have nearly passed us — this is the era of digital signing and single sign-on, and where you might not need someone’s password to gain access to everything they digitally own.

We just hope the Internet Service Providers (ISP) — such as Meta, Microsoft, Amazon, Google, and so on — know how to protect and monitor the keys they provide to their customers; otherwise, we are in for the latest data breach ever! A single breach of a key opens up every single bit of data in an organisation. Be worried …