Storm-0558 - Millions of Azure AD Apps Affected

Affects:

Severity:

HIGH

Productivity
Impact:

HIGH

Fix
Estimate

Unknown

Research:

https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

Summary:

The Storm-0558 breach allows Chinese advanced persistent threat (APT) actors to access Microsoft cloud services, forge authentication tokens, and potentially compromise sensitive information in email accounts and other applications.

Remediation details

If you allow the "Log in with Microsoft" feature in your organisations you may be vulnerable to an authentication bypass, which could lead to account takeover by the APT perpetrators.

Checking for whether you may be vulnerable is an advanced task, as Microsoft has fixed the issue with new Azure App SDK which handles authentication, but you may still be vulnerable with older apps and those that have certain App settings embedden when they were created.

Wiz  (cybersecurity company) has provided the following guidance on what they believe is a common attribute of Apps vulnerable to this threat:

Any Azure Active Directory application that supports “Personal Microsoft accounts only” and works against Microsoft’s v2.0 protocol was affected. This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication, including those who allow the “Login with Microsoft” functionality.

The image below illustrates the settings that are affected when the app is created:

Wiz - The risks of compromised OpenID signing key

Wiz - The risks of compromised OpenID signing key

Overe's recommendation is to closely monitor for activity listed by Microsoft here, which may be difficult without advanced security expertise:

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/#:~:text=Indicators%20of%20compromise

We expect further protection to be implemented by Microsoft to further limit your exposure, but in the meantime, as a good cyber-hygeine measure, you can revew the apps in your Microsoft Azure (Entra) environment and delete the ones you have assessed are no longer used:

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview?Microsoft_AAD_IAM_legacyAADRedirect=true

It is important to note that the Overe Microsoft App is not affected by this issue, also, our Overe "Premium" service will be able to detect these threats in future

This Threat Is Automatically Protected By Overe Protect

Assess the security posture of all your MSP's clients and get actionable remediation steps, in under 3 minutes. 100% free.

Overe Background image
Assess For Free

Get up and running in under 2 minutes, no credit card required.

Get Started Free  

Free audit worth £1000

Thank you!
Your submission has been received!
Oops!
Something went wrong! Try again later
Overe Background image