[German]Small note to administrators who are responsible for or manage services and applications in the (Microsoft) cloud. The theft of tokens can enable attackers to access the corresponding services. As a result of a corresponding incident, Microsoft has therefore published the so-called TokenTheft Playbook. This is an online document with numerous tips for "cloud managers" who have to take care of security and protection against the theft of access tokens.
Advertising
The TokenTheft playbook
It's being celebrated big time on Twitter right now by some people (at least by me felt) – the release of the TokenTheft playbook. The following tweet, for example, points this out.
Companies are admittedly strengthening their security measures to secure their cloud presence. This includes multifactor authentication (2FA), which then uses security tokens for access. But threat actors are using increasingly sophisticated techniques to compromise resources in the cloud (and on-premises as well). One of the threats here is the theft of security tokens by attackers, whether through vulnerabilities or other attack vectors.
A token theft attack occurs when threat actors compromise and replay tokens issued to a user, even if that user has met multifactor authentication. Because the authentication requirements are met, the attacker gains access to corporate resources with the stolen token.
For enterprises, a quick response is required to detect such theft in time to investigate, mitigate and remediate damage caused by token theft attacks. This is exactly where Microsoft is now trying to come in with documentation. The TokenTheft Playbook is a collection of information that provides security analysts and responders with guidance on identifying and investigating token theft attacks in an organization, along with a decision tree to work through.
The TokenTheft playbook can be accessed online at Microsoft Learn in the article Token theft playbook. The instructions refer exclusively to Microsoft's cloud services, requiring access to Microsoft Entra-ID (formerly Azure AD) and a few other prerequisites. The details can be read on the linked pages – I can therefore spare their listing here.
Advertising
What is the background?
We can only speculate why Microsoft published this playbook at the end of July 2023. But I think the starting point of Microsoft's efforts and the publication of the TokenTheft playbook is the scandal about the hack of various Microsoft services by suspected Chinese actors, which I reported in the blog post Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services as a "suspicious case", which has not yet been confirmed by Microsoft.
But Microsoft had to admit that professional hackers sponsored by China were able to penetrate some private and business mailboxes of Exchange Online and Outlook.com. 25 organizations were affected – including the U.S. State Department – no one from Microsoft noticed – only at the U.S. State Department did someone in the log files notice an unusual action (see my blog post China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud as well as the follow-up post Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark). However, the attackers had already been intruding in Microsoft's infrastructure and its customers for some time.
What was revealed there is mind-blowing: The suspected Chinese hackers of the Storm-0558 group were able to generate security tokens for Exchange Online and Outlook.com by means of a somehow obtained private MSA key and then walk unhindered into the desired mailboxes to help themselves. Microsoft finally admitted this, dressed up with a lot of text.
But the evil saga unfortunately continues. Security researchers at Wiz, after analyzing the case and the known keys, have made public that the incident was much more explosive than Microsoft admitted. The gist of Wiz's findings is that the Chinese threat actor Storm-0558 obtained an AAD key that could be used to generate AAD tokens for all Azure customer applications and services.
This means that virtually the entire Microsoft cloud must be considered compromised in principle. Ultimately, it would now have to be "throw this stuff out, the provider is not reliable because it has had the central key with access to everything stolen". Currently, no one is really raising this issue because everyone is somehow dependent on Microsoft's cloud. And Microsoft is currently generating a lot of paper to distract from the above incident and to show "we are doing something". The fact that the incident reveals a massive failure of Microsoft's organizational structures with regard to cloud security has only raised by US senator Ron Wyden in this letter (PDF) to Attorney General Merrick Garland (DOJ), Federal Trade Commission (FTC) Chairwoman Lina Khan, and Cyber Information Security Administration (CISA) Director Jen Easterly.
Advertising