What can I do to detect a stolen Microsoft Azure Access Key ?

After one week of the most problematic security reports in history of Public Cloud Provider Microsoft Azure, Microsoft now publishes first Detection and Response capabilities for the own Azure SIEM Sentinel and other third Party SIEM Systems to detect compromised Access Keys in organisations.

What has happend ?

Chinese hackers are suspected of accessing government Exchange Online accounts using fake Azure cloud access tokens.

It turns out that the attackers apparently stole a powerful master key for large parts of the Microsoft cloud, potentially allowing them to access other organizations and services in Azure.

Why is it problematic ?

This master key is an OpenID signing key for the Azure Active Directory (AAD). This is Microsoft’s cloud directory service. This signing key could be used to create access tokens for user accounts of almost all Microsoft cloud services.

What can I do to protect my organisation ?

My colleague Anas from Copitos describes in details what countermeasure can be put in place to detect a possible access key created and signed by the now deactivated compromised Microsoft Azure Master Key .

Who can help me to implement these detections ?

Our evoila Security Team and Managed Service Team is happy to help, if you ne guidance in implementing the Microsoft Playbook to detect compromised Microsoft Azure Access Keys. We provide Consulting in regards to SOC and SIEM implementations. Find out more on evoila.com