In a recent development, Microsoft has revealed the results of its investigation into how a Chinese threat actor, known as “Storm-0558,” obtained a Microsoft account consumer key. This key was then used by the threat actor to forge tokens and gain unauthorized access to Outlook Web Access (OWA) and Outlook.com. The incident, which occurred in April 2021, was caused by a crash in the consumer signing system that resulted in a snapshot of the crashed process, also known as a crash dump. These crash dumps are normally expected to redact sensitive information, including the signing key. However, due to a race condition, the key was present in the crash dump in this particular case.
The investigation revealed that the crash dump, initially believed to not contain any key material, was later moved from the isolated production network to the debugging environment on the internet-connected corporate network. This action was consistent with Microsoft’s standard debugging processes. Unfortunately, the presence of the key material in the crash dump went undetected by the company’s systems, highlighting a gap in their security measures.
Microsoft further explained that Storm-0558 compromised a Microsoft engineer’s corporate account, which had access to the crash dump containing the key. Although the specific evidence of exfiltration by Storm-0558 could not be determined due to log retention policies, Microsoft believes this was the most probable mechanism by which the threat actor acquired the key.
The consequences of this compromise were significant, as Storm-0558 was able to exploit the situation and target cloud-based Outlook email systems used by twenty-five organizations, including several US Government agencies such as the State Department. This cyberespionage operation raised concerns and led to criticisms of Microsoft’s security measures. Commentators described the causes of the compromise as “a Rube Goldberg chain of failures” and a “comedy of errors,” emphasizing the complexity of the incident.
However, there are contrasting views on the incident. Jake Williams of the Institute for Applied Network Security expressed sympathy for Microsoft’s situation, stating that the level of complexity involved in this attack is only expected in an environment like Microsoft’s. He pointed out that most organizations lack the necessary security measures and telemetry to detect and investigate such sophisticated attacks. Williams commended Microsoft for its extensive telemetry and log retention capabilities, which allowed for a thorough investigation of the incident.
In response to this security lapse, Microsoft has taken steps to prevent similar incidents in the future. They have identified and resolved the race condition that allowed the signing key to be present in crash dumps. Additionally, they have implemented enhanced prevention, detection, and response measures for key material mistakenly included in crash dumps. Microsoft has also improved their credential scanning capabilities to better detect the presence of the signing key in the debugging environment. To further safeguard against such incidents, they have released enhanced libraries to automate key scope validation in authentication libraries and clarified related documentation.
The incident serves as a reminder of the persistent threats faced by technology companies and the importance of maintaining robust security measures. As the investigation concluded, Microsoft acknowledged the flaws in their processes and took significant steps to rectify the situation. By sharing the details of this incident, they aim to increase transparency and facilitate a deeper understanding of the challenges faced in securing sensitive data.