A recent post-mortem report published by Microsoft has shed light on how a Chinese hacker group known as Storm-0558 breached European government emails. The group utilized a forged authentication token and an acquired Microsoft account (MSA) consumer signing key to carry out the attack. This incident, which occurred in July 2023, has raised concerns about the vulnerability of government organizations and the need for enhanced cybersecurity measures.
According to Microsoft, the Chinese hackers managed to steal the MSA cryptographic consumer key from a software dump. The key, which was accidentally leaked during a computer crash in April 2021, allowed the hackers to forge tokens for Outlook.com and Outlook Web Access. These forged tokens were then accepted by enterprise systems, granting the hackers access to email accounts of approximately 25 US organizations, including government agencies.
The security flaw that enabled this breach was a result of a race condition that occurred during the crash. The crash dump, which is intended to redact sensitive information, failed to remove the signing key in this instance. Microsoft acknowledged that the dump should not have included the key in the first place. This oversight allowed the unredacted file to be automatically passed to an internet-connected Microsoft computer used for debugging, compromising the security mechanisms that would have otherwise protected the key.
While Microsoft has fixed the bugs that enabled this breach, the company is still investigating how the Chinese threat actors gained access to the key in the first place. It is suspected that the group had access to a compromised Microsoft engineer’s corporate account, which provided them with the necessary access to the debugging environment where the crash dump was present.
It is important to note that the stolen signing key was designed for consumer Microsoft accounts and could not be used for enterprise accounts. However, Microsoft’s failure to update a critical software library allowed the hackers to exploit this discrepancy. The mail system developers believed that the libraries performed complete validation and did not include necessary issuer/scope validation. As a result, the mail system accepted requests for enterprise email using a security token signed with the consumer key.
In response to this incident, Microsoft has taken steps to rectify the vulnerabilities that facilitated the breach. The company has improved its detection systems to prevent similar attacks in the future and has implemented measures to ensure that sensitive data is not mistakenly added to crash dump files.
As organizations and individuals continue to rely on cloud platforms and email services for their communication needs, it is crucial to remain vigilant and take proactive steps to protect accounts. Cybersecurity awareness and education are essential in staying ahead of evolving threats and maintaining the integrity of sensitive information. By implementing robust security measures and regularly updating software and systems, individuals and organizations can mitigate the risk of falling victim to similar cyber attacks.
The breach carried out by the Storm-0558 ATP group highlights the increasing sophistication of cyber threats and the importance of continuous efforts to strengthen cybersecurity practices. Governments and industry leaders must work together to develop and enforce stringent security standards to safeguard sensitive information. With the ever-growing digital landscape, protecting against cyber threats has become a global imperative that requires constant attention and adaptation.