A string of security failings within Microsoft gifted China-based hackers a highly sensitive cryptographic key they used to break into the email accounts of high level U.S. government officials, including the U.S. Secretary of Commerce.
Microsoft revealed in July that an advanced persistent threat (APT) group it tracks as Storm-0558 had acquired and used a private encryption key to forge authentication tokens to access the cloud-based email accounts of at least two dozen organizations.
Among the organizations compromised through the group’s access to Microsoft 365 accounts were the U.S. State and Commerce departments, with Secretary of Commerce Gina Raimondo’s email account among those compromised.
In a Sept. 6 post, Microsoft’s Security Response Center outlined the findings of its investigation into the breach, identifying a number of breakdowns they said have since been remediated.
The problem started when the company’s consumer signing system crashed in April 2021, generating a “crash dump” which included the signing key. Sensitive information (including the key) should have been redacted in the dump, but due to an unanticipated race condition, the key was not concealed, and Microsoft did not notice its presence.
“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network,” Microsoft’s post said.
At a later, unspecified, date, Storm-0558 compromised the corporate account of a Microsoft engineer who had access to the debugging environment. Ironically, Microsoft — which was criticized in the wake of the attack for charging its customers extra for certain cloud security logging features, leading to many potential victims being in the dark about whether they were exposed to the spying campaign — had their own limited visibility limited due to similar problems.
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft said.
Even then, the consequences of the breach would not have been as serious if it wasn’t for a further issue Microsoft discovered in its investigation: an incorrect validation process that allowed the hacked enterprise email accounts to be signed with the compromised consumer key.
The post listed four corrective measures Microsoft has taken as a result of the investigation. The company said it fixed the race condition that allowed the key to appear in crash dumps, enhanced measures to detect and respond to any keys that appear in dumps, improved methods to detect the presence of keys in their debugging environment, and updated libraries to automatically perform scope validation, so enterprise accounts cannot be validated with a consumer key.
On Mastodon, security researcher and former Microsoft employee Kevin Beaumont described the company’s report on its investigation as “really good and honest from a technical level.”
He noted, however, that — as security firm Wiz discovered — Microsoft’s consumer key expired in April 2021. “They weren’t checking the validity dates, either — customers might want to ask them if they fixed this,” Beaumont posted.
Microsoft faced strong criticism when the breach was revealed in July, including from Sen. Ron Wyden, D-Ore., who said the company had acted negligently by allowing its encryption methods to be compromised.
Last month the Department of Homeland Security’s Cyber Safety Review Board (CSRB) announced it would review the incident as part of an investigation that would also look into the wider issue of how government, industry, and cloud service providers could strengthen identity management and authentication in the cloud.
