The Storm-0558 hack carried out on Microsoft revealed in July was thought to be limited to Outlook.com and Exchange online. But in a recent revelation, researchers at the cloud security startup Wiz have detailed a larger, more insidious aspect of a hack on Microsoft's M365 platform.
Context: Microsoft Cloud Vulnerability Exposes U.S. Government Email Data
As it turns out, the impact was not only limited to stealing the key to Microsoft's email house - it was far more powerful.
Originally, Microsoft declared that the stolen Microsoft Security Authority (MSA) key had only compromised Exchange Online and Outlook.com. However, the new research suggests otherwise. The stolen MSA key did not merely unlock the front door to email services. It rather provided access to the “key-cutting machine,” with which every house in Microsoft's cloud neighborhood could potentially be unlocked.
The compromised MSA key could have allowed the hackers to create access tokens for several Azure Active Directory applications that would be accepted as cryptographically valid. While not authorized by Microsoft/Azure, the keys themselves are as good as sound. These applications include all those that support personal account authentication, such as SharePoint, Teams, and OneDrive, and even extend to customer applications supporting the "login with Microsoft" functionality.
In the wake of the public outcry, Microsoft conceded to granting access to cloud security logs to all M365 customers for post-incident forensics. However, even this enhanced logging may fall short in detecting the use of unauthorized tokens, given the inadequacy of logs on crucial fields related to the token verification process.
Although Microsoft revoked the compromised key, effectively shutting the door on further unauthorized token creation, serious concerns remain. During previously established sessions, the attackers might have established persistence or created back doors, issuing themselves application-specific access keys. This leaves us in a state of uncertainty about what was done, how it was done, and the extent of the damage.
The potential impact of the hack extends far beyond email services, emphasizing the need for organizations using Microsoft and Azure services to assess the wider consequences. Immediate steps recommended include updating Azure SDK deployments to the latest version and ensuring application cache updates to mitigate the risk of further exploitation.
What does this mean for the average business - large or small - using these services? Their data and company could be at risk without any extra layers of protection. On a macro scale, the implications of exposure to foreign hackers and the unknowns about the true extent of the damage remain to be seen.
While Microsoft's decision to free up access to cloud security logs for lower-tier customers is a step in the right direction, this event underscores the need for greater transparency and advanced security measures to safeguard against such breaches in the future.
This breach serves as a stark reminder of the vulnerabilities that exist even within the infrastructure of tech giants like Microsoft. And while it’s easy to point fingers at Microsoft, the inevitability of these sophisticated attacks should really cause us to look in the mirror.
Microsoft, Google, Amazon … we trust them, but they are not infallible. Fault aside, security leaders and individuals alike should reconsider placing the eggs for our entire security infrastructure in one basket. Yes, that means layered protections to fall back on when other systems fail. Here’s what that could look like:
A Separation for Fortification
Creating a buffer between access to the data itself on an individual level, and wide-reaching access to the entire system instills an additional layer of security. This implies that even if your system's defenses are breached, the intruders won't necessarily have a free pass to your data.
Client Side Encryption for Email: Typical email security, like in Outlook or Gmail, relies on transport-layer security (TLS) which only protects data while it's being transmitted. Virtru takes it a step further with user-friendly, end-to-end encryption, allowing users to encrypt sensitive data before sharing, thus extending control outside the organization. With tools like Virtru for Outlook or Virtru for Gmail, users can share secure information smoothly, without hampering everyday tasks.
Encryption Gateway for Data Protection: Think of server-side encryption as a safety net for your data as it leaves your organization. It's like a smart guard at the exit door that can spot sensitive information and either stop it from going out or wrap it securely in encryption. And with tools like the Virtru Data Protection Gateway and Virtru Secure Share, you can even take back data you've already sent out into the world.
Self-Hosted Encryption Keys: With Virtru Private Keystore, you can host keys in your preferred location, reinforcing the control over your data. Having control over your encryption keys, as opposed to entrusting them to cloud providers like Google or Microsoft, ensures your encrypted data remains under your control, invisible and inaccessible to the cloud provider.
In light of recent cyber threats like the Microsoft breach, it's clear that email and cloud applications are in the crosshairs. They host vast amounts of personal and corporate data - a gold mine for attackers.
With Virtru, you're not just defending your data, you're taking an offensive approach. We secure data on an individual level, instating robust access controls that reach beyond your organization's boundaries.
Want to strengthen your Microsoft, Google, or hybrid cloud defenses? Reach out to Virtru for a proactive approach to data security.