Stolen Master-key : Microsoft's silence in its key role as a hyperscaler is disturbing

Table of contents

In today's digital age, the security of corporate data is paramount. Recent revelations about Microsoft's stolen master key underscore the vulnerabilities that even the biggest tech giants can face. Many organisations face the challenge of choosing the right cloud strategy to protect their sensitive data. In this article, we explore why a hybrid cloud strategy is often the most secure and efficient solution.

Recent public cloud security incidents highlight the risks. In particular, large cloud providers such as Microsoft, AWS and Google are increasingly attracting cyber attackers due to their market dominance and reach. The reason for this lies in the so-called attack vector: the larger and better known the service provider, the more attractive it is to cybercriminals, as a successful attack on such a platform potentially offers access to an enormous amount of data and resources. Furthermore, due to the large number of customers, such incidents can have far-reaching consequences, affecting a large number of organisations and individuals. This should give organisations pause, especially when considering where and how they store and process their sensitive data. We will discuss these risks in detail and show why they should be a key concern for organisations.

In contrast, the hybrid cloud offers a combination of public and private clouds that combines the best of both worlds. It combines the scalability of public clouds with the security and control of private clouds. There is a particular focus on local cloud providers such as Naveum. These can often offer a more secure solution tailored to the needs of the end customer, especially in the area of dedicated private clouds and for particularly sensitive data.

Disclosure of security vulnerabilities in public clouds and major cloud providers

Public clouds, particularly those from market leaders such as Microsoft, AWS and Google Cloud, are widely used in the modern business world. Their appeal lies in their ability to help organisations efficiently host their applications and data while realising economic benefits.

However, recent security incidents have raised concerns about the reliability of public cloud solutions and major providers. Such incidents underline the importance of transparent communication from the cloud provider, fast response times and a direct point of contact for enterprises. While hyperscalers certainly have their advantages, a local cloud provider can provide exactly what is needed to deliver a world-class, customised service.

In June 2023, Microsoft was alerted by a government agency to unusual activity in its online Exchange accounts. Investigations revealed that there had been unauthorised access to emails, indicating a serious fault at Microsoft. Apparently, a very important master key had been stolen from Microsoft, allowing the attackers to gain access.

Only two months later, in August, Intel announced a significant vulnerability in their CPUs. This vulnerability makes it possible to read sensitive information from other users via shared resources in the public cloud. It is noteworthy that such vulnerabilities are particularly significant in environments where hardware resources are shared between many users, as is the case with large cloud providers on public cloud infrastructures.

These incidents highlight the importance of choosing a cloud provider that provides transparent information, direct contact and the ability to respond quickly to security concerns. Local cloud providers give end users, resellers and MSPs a distinct advantage through tailored services, personal support and close partnerships.

Microsoft and the Stolen Key: A Troubling Silence

The Washington Post published a report in July about successful hacking attacks on the email accounts of some government agencies in Western Europe. Microsoft attributed the incident to the activities of the Chinese hacker group Storm-0558, but did not disclose the full extent of the damage. It is now clear that the hackers were able to access more than just emails. The real breakthrough came with a cryptographic key that wasn't just for Outlook.

According to Microsoft Chinese attackers known as Storm-0558 gained access to Microsoft-hosted Exchange Online, primarily from government agencies but also from other companies. Investigations revealed that Storm-0558 had access to up to 25 organisations in Microsoft's public cloud as of 15 May 2023.

Storm-0558 had access to up to 25 organizations in Microsoft's public cloud as of May 15, 2023.

The attackers achieved this by using a stolen signature key to issue themselves with working access tokens for Outlook Web Access (OWA) and Outlook.com. This allowed them to access emails and their attachments.

Even a month later, Microsoft has been unwilling or unable to explain in detail how this theft could have taken place. Nor does the company adequately explain the fact that the tokens issued with the signature key worked at all: a problem with the validation issue meant that certificates intended only for consumer accounts (MSA) were also working in Azure Active Directory (AAD) for business customers. To make matters worse, Microsoft appears to be deliberately avoiding explicitly naming the products affected by this security and privacy disaster.

In a post from the 11th of July 2023, Microsoft claimed to have successfully repelled the attack. The use of tokens issued with the stolen MSA key has been blocked and the key has been replaced. More detailed information about the attack can be found here.

Further consequences and questions due to the Microsoft incident

The security company Wiz published an analysis, suggesting that the recently stolen Microsoft key may have acted as a kind of "master key" for almost all Microsoft cloud services. According to Wiz, the key could have been used not only to access Exchange Online, but also other services such as SharePoint, Teams and even customer apps that use “Login with Microsoft”.

While Microsoft has taken steps to block the key and mitigate the threat, it has released little information about the incident or its exact impact.

Wiz claims that the stolen key was an OpenID signing key for Azure Active Directory (Azure AD). This would have made it possible to create access tokens for almost all Microsoft cloud services. It's unclear how extensive the damage is, and Microsoft has described the claims as "largely speculative" without providing further details.

The analysis raises questions about Microsoft's transparency and security practices. She emphasizes that customers should demand more transparency and concrete support from Microsoft in checking possible unauthorized access. Indeed Microsoft announced in July that it would make some security tools such as back-end logging systems available to all of its business customers free of charge so that they can detect unauthorized access more quickly.

Political consequences for Microsoft

The incident not only shocked the IT world. The politician and US Senator Ron Wyden was also outraged and wrote a formal letter to various US authorities such as the FTC, CISA and the Department of Justice. He called on them to take action against Microsoft. This reflects significant concern at the government level and could also mean legal consequences for Microsoft.

The senator emphasizes that Microsoft bears “significant responsibility” for the incident. Among other things, he calls for the Cyber Safety Review Board to investigate the case and for the Justice Department to examine whether Microsoft's actions may have violated federal law.

Security in the Cloud: A Complex Challenge

While absolute security in the digital world remains an illusion, with the right approaches we can minimize risk and protect our data. The hybrid cloud, a symbiosis of public and private cloud services, emerges as a potent solution here.

A hybrid cloud strategy combines the advantages of private and public clouds, offers flexibility and cost efficiency through on-demand scaling, and ensures greater security by placing critical data in private environments.

What is a hybrid cloud strategy

A hybrid cloud strategy refers to the integrated use of both private and public cloud resources to optimally meet a company's IT needs. This combination allows organizations to benefit from the flexibility, scalability and cost-effectiveness of the public cloud while leveraging the increased control and security of the private cloud for sensitive or mission-critical applications. This strategy allows companies to move their workloads between cloud environments as required and needed, providing a high level of agility and adaptability in an ever-changing digital landscape.

Security benefits of a hybrid cloud strategy

Choosing a hybrid cloud strategy offers several security advantages over a public cloud solution:

Advanced control over data: With a hybrid cloud, companies have the flexibility to store their most sensitive data and applications within a private cloud or on their own servers. This protects you from potential risks associated with storage in an external environment shared with multiple customers.

Tailored security protocols: The hybrid cloud allows companies to implement specifically tailored security policies and mechanisms for their private cloud part. This means that you are not solely dependent on the standard security offerings of a public cloud provider.

Meeting compliance requirements: The ability to store data locally in a private cloud makes it easier for many companies to adhere to industry-specific regulatory standards and data storage laws.

Individual network security: Companies using a hybrid cloud can implement tailored network security solutions, such as special firewalls or intrusion detection systems, to optimally monitor and control data traffic to their private cloud.

Dedicated support: Many private cloud solution providers offer dedicated support and tailored service level agreements (SLAs) to ensure specific business needs are met.

Flexibility and scalability: Companies can tailor their cloud environment to precisely meet their business needs and scale quickly when needed.

Performance stability: Since resources are not shared with other users, companies can expect consistent system performance and responsiveness.

Overall, the hybrid cloud strategy offers companies greater and more flexible control over their data and security practices. It combines the best of both worlds – the tailored security solutions of the private cloud and the advantages of the public cloud – giving companies a stronger tool to protect themselves against current and future threats.

The high level of control, security and adaptability that the private cloud brings, making it particularly attractive as a complement to the public cloud for companies that have specific IT requirements or operate in highly regulated industries.

Keep your sensitive data safe

In a world where cybersecurity is more of a focus than ever, incidents like Microsoft's stolen master key pose a serious threat to businesses. Choosing a private cloud solution from an on-premises provider can make a difference.

With our Managed VMware Cloud Stack (MVCS) Customers not only receive a cloud solution, but also a high-performance infrastructure tailored specifically to their needs. This dedicated environment ensures that companies maintain full control over their data and can rely on tailored security mechanisms.

By choosing MVCS private cloud solutions, companies are optimally prepared against future security incidents while ensuring smooth, reliable operations. It's not just a question of technology, but also of trust in a provider who knows and understands local conditions. With such a solution, companies can be sure that their critical data and applications are protected in the best possible way.

Subscribe to Newsletter

Always up to date and well informed about the cloud

A strong partner for your cloud

Contact us for a free discovery call to learn more about our solutions

English