Highlight of the week

A compromised signing key at Microsoft.

A recent security incident affecting multiple customers of Exchange Online and Outlook.com has raised significant concerns about the security of identity providers, particularly Microsoft's Azure Active Directory (AAD). The incident involved a threat actor identified as Storm-0558, attributed to China, acquiring a private encryption key (MSA key) from Microsoft. Using this key, the threat actor forged access tokens for Outlook Web Access (OWA) and Outlook.com, exploiting two security issues in Microsoft's token verification process.

While Microsoft initially stated that only Outlook.com and Exchange Online were affected, further research by Wiz has revealed that the compromised signing key was more potent than previously believed. The MSA key allowed the threat actor to forge access tokens for various types of Azure Active Directory applications (only with OpenID v2.0), including those supporting personal account authentication (e.g., SharePoint, Teams, OneDrive, and applications using "login with Microsoft" functionality) and multi-tenant applications under specific conditions.

Microsoft has revoked the compromised key and provided indicators of compromise (IoCs) to help affected users identify potential attacks. However, application owners must take additional measures to safeguard their systems, such as updating their Azure SDK to the latest version and refreshing the cache of trusted certificates.

Wiz also provides searches to identify AAD applications that could have been impacted.

Unfortunately, the full extent of the incident remains unclear, given the vast number of potentially vulnerable applications and the lack of comprehensive logs to determine compromises fully. Ongoing investigation and collaboration with Microsoft continue to shed light on the incident, and updates will be provided as more information becomes available.

Compromised identity provider keys hold immense power, allowing immediate access to a wide range of services, emails, files, and cloud accounts. This incident underscores the need for improved security and transparency practices from cloud service providers and identity providers to prevent and mitigate future incidents. A lot of customers realised they weren’t getting the right logs to investigate unless they pay more has sparked a response from Microsoft and “will include access to wider cloud security logs for our worldwide customers at no additional cost” (https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/)

🗞️ https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

🧠 https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

2nd highlight of the week

A Citrix RCE.

🗞️ https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

The (CISA) has issued an advisory highlighting a critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. Threat actors have exploited this vulnerability to deploy web shells on vulnerable systems, which allowed them to perform discovery on the victim's active directory (AD) and collect and exfiltrate sensitive AD data. The flaw, identified as CVE-2023-3519 with a CVSS score of 9.8, is a code injection bug that enables unauthenticated remote code execution. The successful exploitation of this vulnerability requires the appliance to be configured as a Gateway or for authentication, authorization, and auditing (AAA) purposes.

The impacted organization's name has not been disclosed, and the identity of the threat actor or country behind the attack remains unknown. However, in the analyzed incident, the attackers collected NetScaler configuration files, decryption keys, and AD information, using a PNG image file ("medialogininit.png") to transmit the data. CISA is providing a useful guide to detect the potential exploitation : https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf

CISA commended the use of robust network segmentation controls in the incident, which thwarted the adversary's lateral movement attempts and prevented further compromise.

A patch is available and must be applied as soon as possible, even though no public POC has been published yet.

Conclusion

I hope you enjoyed this edition !

Have a good week.