In response to recent claims, Microsoft has denied that Chinese threat actors, who gained unauthorized access to its systems, could have compromised its cloud services as well. The tech giant stands firm on its initial assessment that only Exchange Online and Outlook.com were affected by the breach and asserts that the issue has been resolved, successfully expelling the cybercriminals.
During mid-July 2023, Microsoft disclosed that a group known as Storm-0558, likely linked to Chinese state sponsorship, infiltrated Exchange Online and Azure Active Directory (AD) accounts, impacting several U.S. government agencies. The U.S. State Department was among the targeted agencies, with its cybersecurity experts alerting Microsoft about the breach.
The attackers exploited a zero-day vulnerability in the GetAccessTokenForResourceAPI, enabling them to create signed access tokens and impersonate accounts. Microsoft promptly addressed the zero-day vulnerability.
However, cybersecurity researcher Shir Tamari from Wiz contradicted Microsoft’s claim, asserting that all Azure AD applications using OpenID v.2.0 were affected, as the key utilized by the attackers could have signed any OpenID v.2.0 access token.
According to Tamari, this included various managed Microsoft applications like Outlook, SharePoint, OneDrive, Teams, and customer applications supporting Microsoft Account authentication with “Login with Microsoft” functionality.
Microsoft firmly denies this assertion, stating that the claims made in the research are speculative and lack evidence. The company maintains that after invalidating the stolen signing key, there has been no evidence of the attackers using the same technique to access additional accounts. Microsoft suggests that Storm-0558 altered its tactics, rendering the signing keys ineffective. Furthermore, the flaw reportedly only impacted applications that accepted personal accounts and experienced validation errors.
The implications of this discrepancy are substantial. If the attackers had access to more applications than initially stated by Microsoft, the scope of the attack would be significantly broader, potentially providing deeper insights into the operations of Western governments. This raises concerns about cybersecurity and transparency, not only for Microsoft but also for other cloud service providers.
To address security concerns, Microsoft has committed to making 31 critical security logs available to all customers, irrespective of payment plans or tiers, including the email log used by the U.S. State Department to detect the intrusion. The duration of retention for security logs is also being extended from 90 to 180 days, with implementation expected in September 2023.
The incident has sparked extensive discussions, with cybersecurity experts emphasizing the urgency for application owners to update their Azure SDK and application cache to prevent further vulnerabilities.
The full impact of the breach remains uncertain due to the extensive number of potentially vulnerable applications. The incident is likely to have long-lasting implications for cloud security and will necessitate higher standards of protection and transparency from cloud service providers.
While some users empathize with the complexities of securing numerous signals daily, others criticize Microsoft’s historical lack of accountability and demand enhanced due diligence in product development and security practices.
