Select Page

The Microsoft Azure Attack on AM1280 The Patriot with Brad Carlson, Sunday, August 13, 2023

Listen to the interview.

We should pay more attention to this. Get past the tech language. In plain English, the Chinese found a way to impersonate anyone who uses the Microsoft Azure cloud. This isn’t just mom and pop doing Hotmail. This is government agencies, Fortune 500 businesses, and lots of other important organizations. For a while, the Chinese were able to impersonate anyone they wanted. I don’t need to spell out the potential consequences, do I?

When somebody wants to authenticate with Azure, say, when a website prompts with “Login with Microsoft,” after Azure validates the user’s credentials, it sends a string back to the user’s app called a token. But how does Microsoft ensure that users can trust the Azure identity management module that generates the tokens? It seems Microsoft signs those modules with a few special private keys, called signing keys.

If an attacker were to get their hands on one of these signing keys, they could generate tokens to impersonate anyone. And that’s what the Chinese did in early 2023. The Chinese also exploited a bug, such that anyone with a personal signing key could also impersonate anyone from an enterprise account.

So now, a Chinese attacker could use a mom and pop Hotmail account token to impersonate, say, the US State Department.

The US Government informed Microsoft about the problem, and Microsoft invalidated those keys and offered an early blog post on the attack. But the Microsoft blog post only addressed email. Researchers dug deeper and found the attack enabled imposters to access anything that used Azure authentication.

As of mid August, 2023, nobody knows how the Chinese got their hands on this powerful signing key. Or maybe Microsoft knows, but is not talking. Naturally, this made the community and powerful customers, including key people inside US Federal Government, mad.

Wonderful. So, how does an Azure customer find out if somebody attacked them? Well, only customers who paid extra for more features have that ability. Regular customers have no ability to capture the necessary logging info. But not to worry. Microsoft says it will generously offer free logging for everyone using its cloud, starting in September, 2023.

Way to close the barn door after the horses already escaped, guys.

So, how does Microsoft earn back its trust? Embrace open. For people who don’t like technology words, embrace transparency. Yeah, good luck with that.

Watch the unedited Facebook Live recording.