Storm-0588 Azure AD Token Forging Attack

Introduction

During the Summer of 2023, we witnessed a significant cyber-security data breach with the Storm-0588 Azure AD token forging attack, that highlights vulnerabilities within a major cloud service provider and the intricate methods employed by advanced persistent threat (APT) groups that used vulnerabilities in Microsoft's cloud services. The ramifications of this breach extend beyond immediate data loss, impacting trust in Microsoft's cloud services and exposing weaknesses in their implementation of both the PCI and GDPR compliance frameworks.

Detailed in the Cyber Safety Review Board (CSRB) document titled "Review of the Summer 2023 Microsoft Exchange Online Intrusion," published on March 20, 2024, this significant breach was orchestrated by a sophisticated Advanced Persistent Threat (APT) group known as Storm-0558. The attack targeted key authentication processes within Microsoft’s Azure Active Directory (AAD). The attack exploited compromised OpenID signing keys, allowing unauthorised access to sensitive information and highlighting critical lapses in security protocols.

These issues were brought to the forefront in last week’s Senate hearings on June 13, 2024, where U.S. lawmakers rigorously questioned Microsoft President Brad Smith regarding the company's security practices. During the hearings, it was revealed that the hackers accessed 60,000 U.S. State Department emails by breaching Microsoft's systems last summer. The hearing also addressed separate instances where other cyber-criminals spied on Microsoft's senior staff emails, adding another layer of scrutiny over the tech giant’s security measures.

Lawmakers drew on the findings of the scathing CSRB report, which criticised Microsoft for its lack of transparency and labelled the breach as preventable. Microsoft has since acknowledged these shortcomings and committed to implementing the report's recommendations.

This blog delves into the findings from governmental and security researchers, detailing the potential impact on the Microsoft ecosystem, enumerating security lapses, and examining the PCI and GDPR failings involved. Our detailed analysis summarises the findings by government and security researchers, evaluates the potential impact on the Microsoft ecosystem, and categorises the security lapses that facilitated this breach by severity. We will also examine the specific PCI and GDPR failings identified in the aftermath of the attack and provide recommendations for fortifying defences against such sophisticated threats.

By understanding the intricate details of the Storm-0588 attack, organisations can better prepare and implement robust security measures to safeguard their digital assets in an increasingly hostile cyber landscape.

Key Takeaways

CSRB Findings and Recommendations:
The Cyber Safety Review Board (CSRB) report, "Review of the Summer 2023 Microsoft Exchange Online Intrusion," highlights significant security lapses within Microsoft’s Cloud ecosystem. The report emphasises the importance of robust security practices and the need for greater transparency and accountability.

Azure Active Directory (AAD) Compromise:
The attack involved the compromise of OpenID signing keys within Azure AD, indicating severe security vulnerabilities within Microsoft's authentication process. This breach allowed the attackers to forge authentication tokens, gaining unauthorised access to sensitive data.

Advanced Persistent Threat (APT) Group:
The attack was carried out by Storm-0558, a threat actor with espionage objectives. This group specifically targeted government agencies and organisations linked to geopolitical interests, underscoring the sophisticated and targeted nature of the attack.

Impact on Microsoft’s Ecosystem:
While media reports sensationalised the event as a "Microsoft 365 service compromise," the analysis suggests that large organisations might have been less affected due to the APT group’s selective targeting. However, the breach still had significant implications for the security of Microsoft's cloud services and customer trust.

Significance of Compromised OpenID Keys:
The compromised OpenID signing keys are critical in the authentication process within AAD. Their compromise can lead to unauthorised access, token forgery, and various security breaches across different application types, affecting a wide range of Microsoft services (Outlook, Office, SharePoint and Teams) as well as customer applications..

Senate Hearings on Security Practices:
During the Senate hearings on June 13, 2024, U.S. lawmakers questioned Microsoft President Brad Smith about the company’s security practices. The hearing highlighted the breaches' impact on federal networks and Microsoft's role in preventing such attacks. Lawmakers criticised Microsoft for its inability to prevent the breaches, despite the sophistication of the attackers.

PCI and GDPR Failings:
The breach exposed several failings in PCI and GDPR compliance. Microsoft’s handling of the attack revealed gaps in key management, insufficient monitoring, and delays in breach notification, violating multiple PCI DSS and GDPR requirements.

Microsoft’s Response and Future Actions:
Microsoft has accepted responsibility for the findings in the CSRB report and committed itself to implementing the recommended security measures. The company has launched new cybersecurity initiatives, prioritising security above all other features to prevent future breaches.

Technical Details

Storm-0558, an APT group, executed the attack by forging authentication tokens through compromised OpenID signing keys. The attack targeted around 25 organisations, including U.S. and European government bodies, exploiting vulnerabilities within Microsoft’s Cloud authentication system.

Attack Overview

Compromised OpenID Signing Keys:
The attack involved the compromise of OpenID signing keys within Azure Active Directory (AAD). These keys are essential for the authentication process, allowing the attacker to forge authentication tokens and gain unauthorised access to various applications and services.

Initial Compromise:
The attack began with the acquisition of a signing key created in 2016. This key was intended for use within Microsoft’s consumer Microsoft Services Accounts (MSA) but was exploited to access enterprise-level services. The exact method of obtaining this key remains unknown, although it is speculated to have been extracted from a crash dump or similar source during a earlier intrusion against Microsoft.

Token Forging Mechanism:
Using the compromised key, Storm-0558 was able to forge authentication tokens that appeared legitimate to Microsoft’s Cloud authentication systems. These tokens granted the attacker access to Microsoft Exchange Online accounts and other services, allowing them to read and exfiltrate emails and other sensitive information.

Detailed Attack Timeline

May-June 15, 2023: Initial Intrusion, Before Discovery

• The initial intrusion occurred, with the attacker gaining access to Microsoft Exchange Online mailboxes of various U.S. and international government entities.

June 15-19, 2023: Department of State Detects the Intrusion

• The State Department detected the intrusion on June 16, 2023, using a custom alert rule "Big Yellow Taxi" it had created made possible by enhanced logging from G5 licenses, which few other victims had purchased.
• Microsoft was informed on June 16 and began an investigation, which led to the identification of the compromised signing key on or about June 26.

June 24, 2023: Closing the Attack Vector 

• Immediate mitigation steps included invalidating the compromised key and clearing related caches to block further unauthorised access.

Post-Discovery Actions:

• Microsoft implemented additional security measures, including accelerating updates to prevent similar breaches and enhancing monitoring capabilities.
• Despite these efforts, the attack had already compromised approximately 60,000 emails from the U.S. State Department alone.

Impact on the Microsoft Ecosystem

The Storm-0588 Azure AD token forging attack had profound implications for Microsoft's ecosystem, revealing critical vulnerabilities and highlighting the need for stronger security measures across its services. Here, we detail the potential impacts, categorised by severity, and discuss the broader ramifications for the tech giant and its customers.

Severity of Security Lapses

Inadequate Key Management:

• Impact: The breach exposed a significant lapse in Microsoft's key management practices. The failure to regularly rotate and securely manage OpenID signing keys allowed the attackers to exploit an outdated key that had expired on 4th April 2021, facilitating unauthorised access to sensitive systems.
• Severity: High

Systemic Vulnerabilities:

• Impact: The breach exploited a flaw in Microsoft’s authentication systems that allowed tokens intended for consumer services to access enterprise applications. This systemic vulnerability underscores the need for rigorous security testing and validation across all services.
• Severity: High

Insufficient Monitoring and Detection:

• Impact: The lack of advanced threat detection mechanisms enabled the attackers to remain undetected for an extended period. Most decent SIEM's alert on concurrent successful authentications to a account, or concurrent divergent geographical access. This insufficient monitoring delayed the identification of the breach, increasing the potential damage and the amount of data exfiltration.
• Severity: High

Delayed Incident Response:

• Impact: Microsoft’s slow response in identifying and addressing the breach, coupled with delays in notifying affected entities, exacerbated the impact of the attack. This response gap hindered effective mitigation and recovery efforts.
• Severity: Medium

Broader Ramifications

Trust and Reputation:

• Impact: The attack significantly eroded customer trust in Microsoft’s security capabilities. As a key vendor to the U.S. government and numerous enterprises worldwide, maintaining robust security is paramount. This breach has highlighted gaps that could affect Microsoft’s reputation and market position.
• Severity: High

Compliance and Regulatory Scrutiny:

• Impact: The breach exposed failings in compliance with PCI DSS and GDPR standards, leading to increased regulatory scrutiny. Microsoft faces potential fines and mandated corrective actions, which could impact its operations and financial performance.
• Severity: Medium

Customer Relationships:

• Impact: The breach affected high-profile customers, including government agencies and enterprises, leading to strained relationships. The lack of transparency and delayed notifications further aggravated customer dissatisfaction.
• Severity: Medium

Operational Changes:

• Impact: In response to the breach, Microsoft has committed to overhauling its security practices, prioritising security over new features. This shift may slow down product development but is necessary to restore confidence and protect against future threats.
• Severity: Medium

Specific Impacts

Government and Enterprise Trust:

• Impact: The breach involved unauthorised access to the email accounts of U.S. government officials, including Commerce Secretary Gina Raimondo and U.S. Ambassador to China R. Nicholas Burns. Such high-level breaches could lead to reassessments of Microsoft’s suitability as a secure provider for sensitive government contracts.
• Severity: High

International Implications:

• Impact: The breach also targeted international entities, affecting the trust of foreign governments and organisations in Microsoft’s services. This global impact necessitates a comprehensive approach to regaining trust and ensuring security across all regions.
• Severity: High

Technology and Ecosystem Security:

• Impact: The breach highlighted the interconnected nature of Microsoft’s services, where a vulnerability in one area (e.g., OpenID signing keys) can have widespread effects across multiple services and applications. Addressing these vulnerabilities requires a holistic approach to security, and the need to implement a properly designed layered security architecture.
• Severity: High

PCI and GDPR Failings

PCI DSS Failings

For PCI DSS v4.0, several requirements were potentially compromised during the Azure AD Token Forging Attack:

Requirement 3.6.1: Protect Keys Used to Secure Stored Account Data:

• Issue: The attack indicates a failure in the protection of cryptographic keys used within Azure AD.
• Failure: Inadequate controls for key protection, such as insufficient access controls, lack of HSMs, or failure to rotate keys regularly.

Requirement 3.6.1.2: Secret and private keys used to protect stored account data are stored securely

• Issue: The compromised OpenID signing keys suggest that the cryptographic mechanisms protecting stored tokens were not adequately secured.
• Failure: Lack of strong cryptographic protection for the stored keys or inadequate key management processes might have allowed attackers to forge authentication tokens.

Requirement 3.6.1.3-3.6.1.4: Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary. Cryptographic keys are stored in the fewest possible locations

• Issue: Compromised OpenID signing keys indicate failures in restricting access to cleartext cryptographic key components.
• Failure: Insufficient restriction of key access to necessary custodians and storing keys in too many locations, increasing the risk of compromise.

Requirement 3.7.4-3.7.5: Key Management Processes and Procedures:

• Issue: The use of compromised keys for forging tokens suggests lapses in the key management lifecycle, including generation, distribution, storage, rotation, and destruction.
• Failure: Ineffective key management practices, such as failure to replace keys promptly upon compromise and lack of secure key storage mechanisms.

Requirement 6: Develop and maintain secure systems and software

• Issue: The incident indicates potential common coding vulnerabilities in the software development lifecycle.
• Failure: Inadequate developer training and lack of adherence to secure coding guidelines, resulting in vulnerabilities that could be exploited by attackers.

Requirement 8: Identify users and authenticate access to system components:

• Issue: The attack involves unauthorised access and impersonation through forged tokens, indicating a failure in robust authentication mechanisms.
• Failure: Insufficient policies and procedures for managing user identities and authentication methods.It also suggests a failure to link all access to individual users.

Requirement 10: Log and monitor all access to system components and cardholder data:

• Issue: If the detection of forged tokens required external auditing by a customer and was not immediately identified by internal logs and monitoring, this requirement may not have been fully met.
• Failure: Incomplete or missing audit trail entries for critical events, making it difficult to detect unauthorised access and suspicious activities.

Requirement 11: Test security of systems and networks regularly:

• Issue: The existence of such a critical vulnerability suggests that regular security testing and vulnerability assessments might not have been thorough or effective.
• Failure: Insufficient frequency or scope of internal and external network vulnerability scans, leading to undetected vulnerabilities.

Requirement 12: Support information security with organisational policies and programs:

• Issue: The overarching failure to detect and mitigate such a breach could indicate a gap in the overall security policies, risk management, and incident response plans.
• Failure: Inadequate or outdated security policies that did not cover all necessary aspects of information security.

GDPR Failings

Data Breach Notification Delays:

• Issue: Microsoft delayed notifying affected individuals and authorities about the breach, violating GDPR’s strict requirements for timely breach notification. The company took several days to weeks to inform impacted parties.
• Impact: The delay prevented affected individuals from taking timely actions to protect their data, exacerbating the breach's impact.
• GDPR Article Violated: Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject).

Inadequate Data Protection Measures:

• Issue: The breach exposed a lack of adequate technical and organisational measures to protect personal data from unauthorised access, as required by GDPR.
• Impact: The failure to implement robust security measures allowed attackers to access and exfiltrate sensitive personal data, impacting the privacy of numerous individuals.
• GDPR Article Violated: Article 32 (Security of processing).

Lack of Transparency:

• Issue: Microsoft was criticised for its lack of transparency regarding the breach, with delayed and insufficient communication about the nature and scope of the attack.
• Impact: This lack of transparency hindered stakeholders' ability to understand the full impact of the breach and take necessary actions to mitigate the risks.
• GDPR Article Violated: Article 5 (Principles relating to processing of personal data), particularly the principle of transparency.

Recommendations

In light of the Storm-0588 Azure AD token forging attack, it is imperative for organisations, especially those managing critical cloud services like Microsoft, to implement robust security measures to mitigate the risks of similar breaches. Below are our detailed recommendations to enhance security, improve compliance, and protect sensitive information.

Regular Key Rotation:

• Description: Implement a strict key rotation policy for OpenID signing keys within Azure Active Directory (AAD) to mitigate the risk of key compromise.
• Action Steps:
• Establish a schedule for regular key rotation (e.g., every 6 months).
• Automate key rotation processes to ensure timely updates.
• Implement monitoring to ensure old keys are properly retired and new keys are correctly propagated across all systems.
• Expected Outcome: Regular key rotation will reduce the risk of a single key being used for an extended period, minimising the potential impact if a key is compromised.

APT-Specific Monitoring:

• Description: Employ advanced threat monitoring and detection mechanisms to identify and respond promptly to potential activities by Advanced Persistent Threat (APT) groups.
• Action Steps:
• Deploy advanced security information and event management (SIEM) systems that incorporate machine learning to detect abnormal patterns.
• Focus on monitoring government agencies and organisations with geopolitical interests to enhance early detection.
• Regularly update threat intelligence feeds and integrate them with monitoring tools.
• Expected Outcome: Enhanced monitoring will enable quicker detection of APT activities, allowing for faster incident response and mitigation.

Strengthen Application Security:

• Description: Enhance security measures for all applications connected to Azure AD by adopting multi-factor authentication (MFA), role-based access controls (RBAC), and continuous monitoring.
• Action Steps:
• Mandate MFA for all user accounts, especially those with elevated privileges.
• Implement RBAC to limit access based on user roles and responsibilities.
• Continuously monitor application access and behavior to detect anomalies.
• Expected Outcome: Stronger application security will reduce the likelihood of unauthorised access and limit the potential damage from compromised accounts.

Conduct Regular Security Assessments:

• Description: Perform frequent security audits and assessments of your Azure AD environment to identify potential vulnerabilities and ensure that necessary security controls are in place.
• Action Steps:
• Schedule regular security assessments, including vulnerability scans and penetration tests.
• Conduct comprehensive audits of key management practices and access controls.
• Address identified vulnerabilities promptly and verify the effectiveness of implemented controls.
• Expected Outcome: Regular security assessments will help maintain a robust security posture by identifying and addressing vulnerabilities before they can be exploited.

Enhance Incident Response Plans:

• Description: Develop and regularly update incident response plans to ensure prompt and effective handling of security breaches.
• Action Steps:
• Establish a clear incident response framework outlining roles, responsibilities, and procedures.
• Conduct regular incident response drills to test the effectiveness of the plan.
• Integrate lessons learned from past incidents to continuously improve response strategies.
• Expected Outcome: A well-defined and practiced incident response plan will enable rapid and efficient management of security breaches, minimising damage and recovery time.

Improve Compliance with PCI DSS and GDPR:

• Description: Ensure compliance with PCI DSS and GDPR requirements by implementing stringent data protection measures and maintaining transparency in breach notifications.
• Action Steps:
• Regularly review and update security policies to align with PCI DSS and GDPR standards.
• Enhance data protection measures, including encryption, access controls, and secure key management.
• Establish clear procedures for timely breach notifications to affected individuals and authorities.
• Expected Outcome: Improved compliance will reduce legal and regulatory risks and enhance trust among customers and stakeholders.

Increase Transparency and Communication:

• Description: Adopt a policy of transparency regarding security practices and breach notifications to build and maintain trust with customers and stakeholders.
• Action Steps:
• Communicate security policies, incident response procedures, and breach notifications clearly and promptly.
• Engage with customers and stakeholders regularly to update them on security measures and any incidents.
• Provide detailed post-incident reports and actionable recommendations.
• Expected Outcome: Increased transparency will foster trust and cooperation between the organisation and its customers, improving overall security and resilience.

Adopt Advanced Encryption Techniques:

• Description: Utilise advanced encryption methods to protect data both in transit and at rest, ensuring that even if data is accessed, it remains unreadable to unauthorised parties.
• Action Steps:
• Implement end-to-end encryption for sensitive data transmissions.
• Use strong encryption algorithms for data storage and key management.
• Regularly review and update encryption standards to protect against emerging threats.
• Expected Outcome: Advanced encryption will safeguard sensitive data, reducing the risk of data breaches and ensuring compliance with data protection regulations.

Conclusion

The Storm-0588 Azure AD token forging attack of Summer 2023 has identified significant vulnerabilities in Microsoft's cloud ecosystem. The breach, executed by the sophisticated APT group Storm-0558, exploited critical flaws in Azure Active Directory's (AAD) authentication processes, leading to unauthorised access to sensitive data and extensive repercussions for Microsoft and its users.

The Cyber Safety Review Board's (CSRB) report highlighted fundamental lapses in security practices, including inadequate key management, insufficient monitoring, and delayed incident response. These weaknesses were further scrutinised during Senate hearings, which revealed extensive data breaches affecting high-profile government entities and senior Microsoft staff.

This incident has exposed failings in compliance with PCI DSS and GDPR standards, pointing to significant gaps in data protection, timely breach notification, and overall security transparency. Microsoft's response, including the acknowledgment of shortcomings and commitment to implementing recommended security measures, marks a pivotal step toward addressing these issues and fortifying its defenses against future threats.

The lessons from this breach are clear. Implementing robust security measures, such as regular key rotation, advanced threat monitoring, multi-factor authentication (Preventing the initial breach), and continuous security assessments, is crucial. Additionally, enhancing incident response plans, ensuring compliance with regulatory standards, and maintaining transparency with stakeholders are vital steps to mitigate risks and rebuild trust.