![]() ![]() "A notable example of this is how, prior to Microsoft's mitigation, Storm-0558 issued valid Exchange Online access tokens by forging access tokens for Outlook Web Access (OWA)," Tamari wrote.Īdditionally, applications that use local certificate stores or cached keys may still trust the compromised key and thus be vulnerable to attack. While Microsoft pulled the compromised key, meaning it can no longer be used to forge tokens and access AAD applications, there's a chance that during previously established sessions attackers could have used this access to deploy backdoors or otherwise establish persistence. Azure issues not adequately fixed for months, complain bug huntersĪccording to the Wiz security team, the China-based crew looks to have obtained one of several keys used for verifying Azure Active Directory (AAD) access tokens, allowing them to sign as Microsoft any OpenID v2.0 access token for personal accounts along with multi-tenant and personal-account AAD applications.Azure blunder left Bing results editable, MS 365 accounts potentially exposed. ![]() Microsoft's Azure mishap betrays an industry blind to a big problem.Google veep calls out Microsoft's cloud software licensing 'tax'.It's still unclear how the spies obtained the private encryption key in the first place. This issue has been corrected.Īccording to a Thursday report in the Wall Street Journal, Chinese snoops also accessed inboxes belonging to the US ambassador to China, Nicholas Burns, and Daniel Kritenbrink, the assistant secretary of state for East Asia. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |