Investigating Storm-0558 security issue?

Question

For those that've heard, any idea how we can investigate tokens?

https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr article advises to:

Examine suspicious authentication attempts via OpenID tokens signed by the compromised key. This can be done by unpacking the access tokens used against the application and searching for the string 1LTMzakihiRla_8z2BEJVXeWMqo within the kid field of the JOSE Header.

We have identified potentially affected apps so that's a first step.

Thanks for your input.

gohulan · Answer

As customers using enterprise applications or app registrations, your control over the app's internal security mechanisms might be limited. In such cases, the responsibility for implementing remediation measures generally falls on the app developer or the service provider offering the application.

gohulan · Answer

Examine suspicious authentication attempts using OpenID tokens signed by the compromised key. To do this, unpack the access tokens used against the application and search for the string "1LTMzakihiRla_8z2BEJVXeWMqo" within the "kid" field of the JOSE Header.

markuslosco · Answer

Gohulan&nbsp;"To do this, unpack the access tokens used against the application and search for the string" &gt;&nbsp;can you give me more details what should i do like a&nbsp;Azure CLI command or something?

colonel_claypoo · Answer

The more I read about it the more I get the hunch that remediation steps can only be carried out on the app developer's side. We are customers using this, for the most part, enterprise applications/app registrations. Don't if we can do anything here at all. What do you think?

markuslosco · Answer

Here a short overview (azure cli):1.) create the listaz ad app list --filter "(signinaudience eq 'AzureADMultipleOrgs' or signinaudience eq 'AzureADandPersonalMicrosoftAccount' or signinaudience eq 'PersonalMicrosoftAccount')" --query "[?id].{AppName:displayName, AppID:appId, ObjID:id, HomePageURL:web.homePageUrl}" 2.) create the&nbsp;WebApps Listaz ad app list --filter "(signinaudience eq 'AzureADMultipleOrgs' or signinaudience eq 'AzureADandPersonalMicrosoftAccount' or signinaudience eq 'PersonalMicrosoftAccount')" --query "[?web &amp;&amp; web.homePageUrl &amp;&amp; contains(web.homePageUrl, 'azurewebsites.net')].{AppName:displayName, AppID:appId, ObjID:id, HomePageURL:web.homePageUrl}"3.) az ad app credential reset --id &lt;appid&gt; --append4.) az login --service-principal -u &lt;appid&gt; -p &lt;clientsecret&gt; --tenant &lt;tenantid&gt;5.) sometimes a Application ID URI needs to create..Azure Active Directory → App registrations → {your app} → Expose an API → Add "Application ID URI"6.) az account get-access-token --resource api://&lt;Application ID URI&gt;7.) Last go to this site and c&amp;p your token https://jwt.io/8.) check your kid field&nbsp;sometime the cli need some times 😉

Forum Discussion

Investigating Storm-0558 security issue?

5 Replies

Resources