In July, Microsoft disclosed a security breach in which the Chinese hacking group Storm-0558 gained access to emails from approximately 25 organizations, including US government agencies. Now, the company is providing an explanation of how this breach occurred, highlighting the significant responsibility of maintaining software infrastructure in an increasingly vulnerable digital world.
According to Microsoft’s investigation summary, Storm-0558 obtained a “Microsoft account consumer key,” which allowed them to create access tokens to their targets’ accounts. The key was acquired through a series of events that unexpectedly placed it somewhere it shouldn’t have been.
The breach originated when a system made a debugging snapshot of a crashed process, but failed to remove sensitive information from the resulting “crash dump.” Consequently, the key remained in the dump. Microsoft’s systems should have detected the key material in the crash dump, but they failed to do so. When the dump was discovered by company engineers, they transferred it, along with the key, from the isolated production network to the debugging environment.
Another fail-safe, a credential scan, also missed the presence of the key. The final gate was breached when Storm-0558 compromised a Microsoft engineer’s corporate account, granting the hackers access to the debugging environment that should never have contained the key.
Microsoft acknowledges the lack of evidence in its logs regarding the actual route the hackers took to remove the key from its systems. However, it deems it the “most probable” path the hackers followed.
In a surprising turn of events, the breached key was a consumer key, yet it allowed threat actors to access enterprise Microsoft accounts. In response to the demand for support software functioning across both consumer and enterprise accounts, Microsoft began using common key metadata publishing in 2018. However, the company failed to update the authentication systems correctly to differentiate between consumer and enterprise keys. Consequently, no additional authentication was built into the mail system, leaving it blind to the type of key being used.
In summary, had the libraries been properly updated, despite the presence of other failures, the Storm-0558 hackers might not have been able to access the enterprise email accounts they targeted.
Microsoft asserts that it has addressed all the aforementioned issues, including the error that resulted in the signing key being sent to the crash dump. The company also emphasizes its commitment to continuously strengthening its systems. Nonetheless, Microsoft has faced scrutiny for its security practices, with Senator Ron Wyden and Tenable CEO Amit Yoran criticizing the company’s alleged negligence. Yoran even accused Microsoft of being slow to respond to security flaws.
Microsoft has a crucial role in maintaining the security of its software infrastructure, especially as cyber threats persist and evolve. The breach incident serves as a reminder of the constant vigilance and diligent updates required to keep systems secure. As technology continues to advance, it is essential for organizations and individuals alike to prioritize cybersecurity and invest in robust protective measures.