In a recent blog post, Microsoft unveiled new information regarding the theft of a private consumer signing key that was responsible for the Storm-0558 attacks in July. Despite the release of these details, many key questions remain unanswered.
The tech giant’s investigation into the cyberattack by the China-based threat actor, Storm-0558, resulted in the hacking of 25 organizations, including various US government agencies. The attacker had successfully acquired the Microsoft account (MSA) consumer signing key, which was then used to create fake authentication tokens for Outlook Web Access and Outlook.com. Until now, Microsoft had not disclosed how the key was initially obtained.
According to Microsoft’s blog post, the investigation revealed that a consumer signing system crash occurred in April 2021, resulting in a snapshot of the crashed process. The mistake was made when the MSA key was included in the crash dump due to a race condition issue. However, Microsoft assured that this issue has been rectified.
Microsoft concluded that Storm-0558 most likely obtained the key after compromising a Microsoft engineer’s corporate account sometime after April 2021. This engineer’s account had access to the debugging environment, which contained the crash dump containing the MSA key.
Despite claiming that its technical investigation had concluded, the Microsoft Security Response Center post failed to address several crucial details. In a blog published on September 7, cloud security vendor Wiz raised a number of unanswered questions. Amitai Cohen, the attack vector intel lead at Wiz, highlighted the need to know when the engineer’s account was compromised and the earliest possible time when Storm-0558 could have obtained the MSA key.
The lack of information regarding the timing of the engineer’s account compromise is a significant concern. It would provide critical insights into the duration of the attacker’s access to the MSA key and the potential extent of the damage caused. Without this information, it remains unclear how long Storm-0558 had control over the consumer signing key and what actions they may have taken.
The Storm-0558 attacks have raised broader concerns about cybersecurity and the vulnerabilities within major organizations. It is crucial for companies like Microsoft to provide a comprehensive and transparent account of such incidents to enhance trust and enable the cybersecurity community to learn from these experiences.
In response to the ongoing investigation, TechTarget editors Rob Wright and Alex Culafi discussed the latest developments surrounding the Storm-0558 attacks on their podcast, Risk & Repeat. They delved into Microsoft’s response to the breach and highlighted the importance of organizations taking proactive measures to protect their systems and mitigate potential cyber threats.
As the investigation into the Storm-0558 attacks continues, the cybersecurity community eagerly awaits further information and clarification from Microsoft. It is essential for all stakeholders to have a complete understanding of the timeline and extent of the breach to prevent similar incidents from occurring in the future.
Alexander Culafi, a Boston-based writer, journalist, and podcaster, offered his insights on the matter, emphasizing the need for organizations to prioritize cybersecurity measures to safeguard sensitive data and protect against potential breaches.
Overall, while Microsoft has shared some details regarding the theft of the consumer signing key that led to the Storm-0558 attacks, critical questions remain unanswered. The cybersecurity ecosystem awaits further updates and greater transparency to address the concerns surrounding this cyberattack and prevent similar incidents from occurring in the future.