Stolen Microsoft Key: An Open Door to Malicious SaaS Apps?

Recently, Microsoft disclosed a Chinese hacker group had compromised a low-level encryption key within Microsoft’s Azure Active Directory infrastructure. While Microsoft has since resolved the situation, the implications are far-reaching, giving companies reason to reevaluate their SaaS app’s security strategy. Let’s see why.

The explosion of SaaS apps

There is no question that organizations today are using SaaS applications more than ever. Most businesses have at least a handful of SaaS apps, with some organizations having dozens or hundreds of SaaS applications used by various parts of the business. However, it also means companies entrust their underlying infrastructure security with the SaaS vendor.

The Stolen Microsoft Key: What Happened?

The security community was recently alerted to a compromised encryption key (compromised MSA key) within Microsoft’s Azure Active Directory applications. 

Uncovered by a Wiz security researcher, Chinese hackers managed to forge access tokens, leading to potential widespread access to various resources, including authentication with Microsoft’s OpenID v2.0 (personal accounts, Xbox, etc), Microsoft cloud email accounts, Exchange Online email accounts, and other Microsoft apps.

In a world driven by cloud services and SaaS applications, it gives pause to the notion that a SaaS vendor’s security is impenetrable. As more organizations continue to leverage SaaS apps, attackers are concentrating more of their time and effort on compromising cloud infrastructure.

The Azure Response

Microsoft revoked the compromised key and urged customers to review their cloud security logs. In collaboration with the Wiz security team, the Azure security team implemented new software to mitigate the threat, focusing on multi-factor authentication, security policies, and cleaning local certificate stores.

While Microsoft’s response was swift, it sheds light on the potential dangers of the underlying authentication technologies of the cloud and on the dangers of persistence after compromise.

Access Tokens: The Hidden Risk 

Access tokens are the “magic” behind SaaS authentication. Instead of a user being prompted to log in with each new page they visit, tokens are generated after authentication that encapsulates the authentication and authorization information of the user. While relatively secure, if compromised, they grant an attacker carte blanch access to everything the user can access.

The stolen Microsoft key allowed malicious actors to forge tokens and steal data from dozens of organizations. The cached keys provided a pathway to deploy backdoors and even establish persistence within systems. Access tokens become tools to gain unauthorized entry into SaaS environments in the wrong hands.

Are compromised tokens a real problem?

Take note of the following recent examples of token theft and how these led to major data breach events:

CircleCI – In a significant incident that occurred from December 16, 2022, to January 4, 2023, CircleCI, a software development platform, faced a security breach. The breach happened when an employee’s laptop became infected with malware, leading to the theft of session tokens. These tokens allowed the cybercriminals to mimic the employee’s identity, gaining unauthorized entry into CircleCI’s production systems.

Contained within these systems was sensitive client information, including encryption keys and secret codes. Despite the data being safeguarded through encryption, the criminals also managed to acquire the encryption keys, granting them the ability to decrypt the information. This security incident enabled unauthorized access to several customers’ systems. In response, CircleCI has guided its clients to implement measures to defend against further unauthorized access and has bolstered its internal authentication procedures.

GitHub – In a separate incident dating back to December 2022, GitHub detected unauthorized intrusion into multiple repositories, traced to a compromised Personal Access Token (PAT) associated with a machine account. It included a collection of encrypted code signing certificates. Though there was no substantiated evidence to show the attackers had succeeded in decrypting or utilizing these certificates, had they been decrypted, the culprit could have used them to authenticate unofficial applications as if GitHub had officially produced them. To counteract this potential threat, GitHub invalidated the exposed certificates, which also invalidated specific versions of GitHub Desktop for Mac and Atom. Users had to update their applications to avoid any interruptions in their daily operations.

Slack – In late December 2022, Slack detailed a security incident when malicious actors obtained access to some of its private GitHub repositories. The criminals achieved this through the theft of a number of Slack employee tokens, using them to infiltrate the repositories. Fortunately, Slack’s main codebase and client information remained untouched by this violation. Taking corrective action, Slack voided the compromised tokens. 

Gateway to malicious SaaS apps

Even though Microsoft has remediated the initial risk of the compromised key, organizations must give attention to their SaaS applications. Why? When environments were exposed, attackers could have potentially established rogue SaaS applications using the compromised tokens, leading to persistence in the environment.

SaaS applications are one of the features of the cloud, allowing organizations to extend the functionality of the cloud with legitimate third-party applications. These can be a double-edged sword when it comes to security.

However, rogue or malicious SaaS apps can expose, exfiltrate, delete, or encrypt critical and sensitive cloud data, leading to data breaches and other types of compromise.

Government Agencies and SaaS Security Risks

The incident has drawn the attention of government agencies worldwide, stressing the importance of SaaS security, regulatory compliance, and data security within public cloud infrastructure. SaaS and cloud service providers must adhere to industry standards to protect sensitive data.

As more government agencies also use cloud services and SaaS apps, nation-state attacks will increasingly target cloud infrastructure, potentially leading to data breaches and other compromises.

SaaS security reminders and best practices

The compromised key scenario is a stark reminder for SaaS providers, vendors, and customers of SaaS services to prioritize security. Enforcing security requirements in the ever-evolving landscape of SaaS solutions is vital. Here are some key takeaways:

• Security Teams & Measures: Security teams must stay vigilant to detect and respond to security breaches. The need for solid security measures, such as access management, cannot be overstated.
• Customers & Data: Protecting customer data should be paramount for every SaaS provider. Breaches can result in significant reputational damage and legal consequences.
• Multi-Tenant Applications & Azure Active Directory: Managing security in multi-tenant applications, such as Azure Active Directory, involves meticulous planning. Organizations must safeguard their own environments to prevent unauthorized access.

Other best practice security recommendations include the following:

• Monitor for Suspicious Activity: Regularly review application-specific logs, authentication attempts, and any activity originating from suspicious IP addresses.
• Implement Multi-Factor Authentication (MFA): Employing MFA adds a layer of security, making it more difficult for malicious actors to forge access tokens and gain unauthorized access.
• Use Encryption and Secure Keys Management: Regularly review and update encryption keys and avoid using cached versions of public certificates. Store keys securely in local certificate stores.
• Work with Trusted SaaS Providers: Collaborate with SaaS providers that follow industry security and data protection standards.
• Educate Employees and Security Teams: Train your staff on the latest threats, such as phishing attacks that might aim to steal data or compromise email accounts. Regularly update your security teams on new threats and best practices.
• Regular Security Audits: Conduct periodic security assessments to detect vulnerabilities and ensure adherence to security policies and regulatory compliance.
• Implement Role-Based Access Control (RBAC): Restrict access rights to those who need them, limiting the potential for widespread access to sensitive data.
• Use Security Monitoring Tools to detect security breaches, compromised MSA keys, and any unauthorized or unusual behavior within SaaS applications.
• Coordinate with Cloud Service Providers: Work closely with providers like Microsoft to stay updated on security incidents, compromised keys, and recommended measures.
• Have an Incident Response Plan: Prepare a detailed response plan for various security scenarios, such as data breaches or malware infections, and practice it regularly.
• Utilize Endpoint Security Solutions: Protect end-user devices with comprehensive security solutions to prevent unauthorized access or potential backdoors.
• Reinforce Email Security: Enhance the security of Exchange Online email accounts, Outlook web access, and other online email accounts through strong authentication and monitoring.
• Control which SaaS applications are used – Make sure your organization has visibility and controls in place to enforce which SaaS applications can be used in the environment.

Lessons from the Compromised Key

The stolen Microsoft key incident serves as a wake-up call. It underscores the risks of malicious SaaS applications and the challenges of securing widespread access in a world reliant on cloud technologies.

While this incident is still under investigation, the immediate lessons are clear. It calls for enhanced security practices, awareness of the risks associated with access rights, forged tokens, malicious SaaS apps, and a commitment to data breach prevention.

The road ahead will involve learning from security incidents, embracing industry standards, and working collaboratively across various sectors to build a secure, resilient digital world.

How Spin.ai Protects Organizations Against Rogue and Potentially Malicious SaaS Applications

Businesses need a robust defense strategy in the complicated world of SaaS security, where compromised keys and malicious SaaS applications can wreak havoc. Spin.ai provides organizations with solutions to tackle the risks of rogue SaaS apps.

Note the following features and capabilities offered by Spin:

• Real-Time Monitoring and Threat Detection: Spin.ai employs advanced algorithms to monitor user activities and detect unusual behavior continuously. This proactive approach enables organizations to identify potential threats before they escalate.
• Data Loss Prevention (DLP): With its DLP capabilities, Spin.ai ensures that sensitive data remains within the controlled environment, helping to prevent accidental or intentional leakage. This is vital for compliance with industry regulations and the protection of customer data.
• Proactive Ransomware Protection: The platform automates incident response, allowing organizations to respond promptly and minimize the impact. This response includes automated alerts and pre-defined response actions tailored to specific threats. The proactive Ransomware Protection module proactively responds to and stops a ransomware attack in your SaaS environment.
• Multi-Factor Authentication Support: Recognizing the importance of robust authentication methods, Spin.ai supports implementing multi-factor authentication, adding an extra layer of security against unauthorized access.
• Third-party application control: The Spin solution provides visibility and control over third-party apps and browser extensions used in the SaaS environment, helping to close the gap on the large security risk posed by SaaS apps.

Spin scrutinizes app extensions using the following metrics:

• Over 15+ features are considered for each detected SaaS application
• Access is provided to a database encompassing 300,000+ apps and extensions identified by AI algorithms
• SpinApps furnishes an easy-to-understand assessment with the option to delve deeper into each application’s potential business, security, or compliance risks
• A detailed and user-friendly scoring system (ranging from 0 to 100) is provided for SecOps teams to pinpoint the riskiest applications

SpinApps empowers admins to make well-informed decisions based on Spin.AI’s machine-learning platform, continually scanning and assessing SaaS application risks in the environment.If you would like to speak with a Spin Solution Engineer to learn how SpinOne can protect your environment from malicious cloud SaaS apps, click here to schedule a demo: Request a Demo of SpinOne.

FAQ