Microsoft has published a playbook on how to deal with suspected theft of an Azure cloud access token. It is intended to help Azure users determine if their organization has been affected by token theft and if there are backdoors and compromised access and their Azure AD.
The playbook (German language version) describes how to configure Microsoft Sentinel or another SIEM (Security Information and Event Management) tool so that all relevant events and log entries converge there, and unusual activities in the areas of identities, login and audit logs, Office apps and devices recognized. There are numerous tips on how to recognize a compromise and, if necessary, contain it, as well as measures to restore a secure state. The playbook is accompanied by a schematic representation of the procedure.
The release of the playbook comes after it became known a few weeks ago that a hacker attack from China on exchange online accounts of government agencies using fake access tokens for the Azure cloud took place. It turned out that the attackers apparently stole a powerful master key for large parts of the Microsoft cloud, which potentially also gives them access to other organizations and services in Azure. So far, however, the exact extent is unclear, also because Microsoft has released little information about the incident.
A few days ago, Jürgen Schmidt from heise Security summarized the current state of knowledge and the many unanswered questions about Microsoft’s stolen key. Together with the heise Security Pro community, he developed a list of questions that Azure users can ask Microsoft.
Go to home page
#stolen #master #key #Azure #assistance #Microsoft