After weeks of uncertainty, it has been confirmed that the consumer signing key used to breach email accounts in May was stolen from Microsoft’s own network. In July, Microsoft disclosed that a China-based threat actor, known as Storm-0558, compromised customer email accounts at around 25 organizations, including US federal agencies. The attackers used a stolen Microsoft account (MSA) consumer signing key to forge authentication tokens for Outlook Web Access and Outlook.com. They also exploited a token validation issue to impersonate Azure Active Directory users and gain access to their email.

The fallout from these attacks included criticism aimed at Microsoft regarding its response and the lack of information about how the MSA key was stolen. The company faced further criticism for its limited logging features that hindered the detection of the Storm-0558 attacks.

After nearly two months, Microsoft announced that its investigation had determined that the key was stolen from its own corporate environment due to a series of errors. Storm-0558 compromised a Microsoft engineer’s account and gained access to the Microsoft network and the debugging environment where the MSA key was accidentally left. The presence of the key in the debugging environment was a result of six security mistakes made by Microsoft.

Microsoft explained that a consumer signing system crash in April 2021 resulted in a snapshot of the cached process, or crash dump. The crash dump should not have included the signing key, but due to a race condition issue, the key ended up there. Unfortunately, this issue was not detected by their systems. The crash dump was then moved to Microsoft’s debugging environment, which was connected to the internet. Although no signing keys were detected during the vendor’s scanning methods, Microsoft acknowledged that this mistake has been corrected.

The engineer’s account was compromised through token-stealing malware, although further details about the credential theft were not provided. The attackers then used the compromised account to access the debugging environment, where the crash dump containing the MSA key was located.

However, Microsoft did acknowledge some uncertainty regarding its investigation, stating that due to log retention policies, they don’t have specific evidence of the key’s exfiltration by the attackers. Nevertheless, it was deemed the most probable mechanism by which the key was acquired.

In addition to these revelations, Microsoft’s handling of the Storm-0558 attacks has come under scrutiny from both cybersecurity vendors and the US government. The company was criticized for its limited logging capabilities, which made it difficult to detect such attacks. Microsoft has since announced that it will expand logging capabilities free of charge for customers starting this month. However, concerns remain about the company downplaying the token validation issue and failing to provide adequate information about the capabilities and potential threat of MSA consumer signing keys.

Microsoft also addressed another concern regarding why a consumer key was able to access enterprise email in the first place. They attributed this to the introduction of a common key metadata publishing endpoint in September 2018, which was intended to assist customers who worked with consumer and enterprise applications. Furthermore, Microsoft admitted that another mistake on their part allowed the mail system to accept a request for enterprise mail using a security token signed with the consumer key.

To prevent similar attacks in the future, Microsoft has implemented measures to enhance detection and response for mistakenly included key material in crash dumps. They have also improved credential scanning to better detect the presence of signing keys in the debugging environment.

The handling of the Storm-0558 attacks has also prompted action from the US government. Senator Ron Wyden wrote an open letter urging government agencies to take action against Microsoft for its negligent cybersecurity practices, which enabled Chinese espionage against the US government. The Department of Homeland Security (DHS) has also initiated a broad review of cloud security threats, including an assessment of the Storm-0558 attacks.

These recent events highlight the importance of robust security measures and prompt response in the face of increasingly sophisticated cyber threats. Microsoft’s acknowledgement of their errors and commitment to enhancing security measures is a step towards mitigating future risks and better protecting their customers’ data.

Source link