In Late July, we covered a cybersecurity incident where hackers gained access to government emails. The cause was a Microsoft cloud breach that used a stolen authentication key. At the time, only 25 organizations were thought to be impacted, including some Western European government agencies. However, the attack was revealed to have started much earlier than realized.
Microsoft recently shared its investigation results and found the stolen key’s source was likely a signing system crash in April 2021. While the threat should effectively be over and the vulnerability fixed, the extent of this attack is less clear since they had this authentication key for over two years. Microsoft also admitted that “due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor.”
Table of Contents
Compromised Account Led to Stolen Authentication Key
The Breach of an Isolated Environment
The ‘Race Condition’ Flaw and Debugging Environment
Lingering Breach Concerns and Industry Reactions
Microsoft Continues To Avoid Calling It a Vulnerability
The Impact on Businesses Using Microsoft Cloud Services
The May 2023 Microsoft Cloud Breach
On May 15, 2023, Microsoft faced a security breach orchestrated by Storm-0558, a hacker group based in China. They accessed 25 organizations’ email accounts using a stolen Microsoft key. The breach was caught when customers reported unusual email activities, leading to an immediate investigation. Quick actions from Microsoft included replacing compromised keys and isolating affected systems. They also partnered with DHS CISA for a more thorough review.
What made this attack complex? Storm-0558 used fake tokens to break into email services like Outlook Web Access and Exchange Online. These tokens were crafted with the help of programming languages like PowerShell and Python. The group also hid their tracks using network disguises like Tor and SOCKS5 proxies. Due to what happened, Microsoft did a deeper investigation, leading to the recent updates.
Compromised Account Led to Stolen Authentication Key
In their latest update, Microsoft shed light on two significant questions related to the cyberattack carried out by Storm-0558:
- How was the consumer signing key stolen?
- How could it be used for Azure, which operates on an entirely different infrastructure?
Microsoft disclosed that the group compromised one of their engineers’ corporate accounts, using the access to steal a crucial signing key. While the May 2023 cyberattack brought this issue to light, the key was stolen over two years prior without detection.
The Breach of an Isolated Environment
Microsoft elaborated that these sensitive keys are only entrusted to employees after background checks. These employees must operate within a specially isolated environment secured by multi-factor authentication via hardware tokens. This environment is walled off from Microsoft’s broader network to reduce the risk of malware and phishing attacks, typically through emails and other collaborative tools.
However, a critical breakdown occurred in April 2021 when a system crash led to a “crash dump,” transferring all data in memory to a disk for future diagnosis. The crash dump, which should have excluded sensitive data like signing keys, was transferred to Microsoft’s debugging environment due to a previously unknown vulnerability known as a “race condition.”
The ‘Race Condition’ Flaw and Debugging Environment
Usually, crash dumps are designed to strip out sensitive data automatically. In this instance, the race condition flaw allowed the sensitive key to be included in the crash dump. This dump was later accessible in an environment connected to the broader Microsoft corporate network. Storm-0558 could access the crash dump and the key it mistakenly contained by compromising an engineer’s account.
Lingering Breach Concerns and Industry Reactions
The Microsoft cloud breach has created concerns about the security infrastructure of key management, notably the absence of a Hardware Security Module (HSM) for storing a highly sensitive authentication key. HSMs are specialized devices engineered to offer strong protection for important data. Their absence in this scenario raises questions about how effective their current cybersecurity protocols are.
Another point of industry-wide concern is the identified “race condition,” an unintentional software glitch that can lead to vulnerabilities. This lapse points to specific security gaps in Microsoft’s system and invites a broader discussion on potential weaknesses in cybersecurity mechanisms. The incident highlights the need for ongoing updates to cybersecurity measures and encourages everyone to take a fresh look at best practices.
Microsoft Continues To Avoid Calling It a Vulnerability
Microsoft has avoided calling the security gaps exploited by Storm-0558 “vulnerabilities,” referring to them as “issues” instead. When asked about this choice of words, a company spokesperson said that “issue” is a broader term, covering anything from simple misconfigurations to human errors. They reserve the term “vulnerability” for more specific, clearly defined security flaws.
This cautious approach to wording has stirred further discussion in the tech community. Some argue that elements of the breach, like the exposed key material due to a race condition, should be called a vulnerability. The terminology raises questions about how we define and categorize security risks. As discussed in The 6 Steps of a Good Incident Response Plan, properly defining threats allows businesses to react better. In Microsoft’s case, avoiding the word “vulnerability” may undermine the attack’s severity.
The Impact on Businesses Using Microsoft Cloud Services
The Microsoft cloud breach incident is a good reminder for organizations to look at how they prioritize threats. Those heavily reliant on Microsoft cloud services are especially encouraged to take a closer look at their processes. Specifically, businesses can:
Introduce New Monitoring Systems: This event underscores the need for advanced monitoring systems to detect anomalies like unauthorized access to sensitive environments.
Employee Training: As a compromised employee account was a starting point, regular cybersecurity awareness training remains crucial.
Multi-Layer Security Protocols: Businesses should adopt a multi-layered approach to defense, which helps if any one layer is breached.
MFA Should Be Mandatory: We always recommend multi-factor authentication (MFA) to our readers and clients. It can significantly decrease the chance of a breached account.
Routine Audits: Frequent audits of IT systems can identify lapses or weaknesses in the security structure, allowing for time to correct flaws.
Consult Industry Best Practices: Following guidelines from cybersecurity agencies and experts can provide additional layers of protection.
This incident is a good reminder that even companies that highly invest in cybersecurity, like Microsoft, can still be vulnerable to attacks. It’s important to remain watchful and educate staff about the latest threats.
Does your business need an IT security audit or want to outsource your cybersecurity? Reach out to one of our IT security consultants via our contact form or call us at +1 (800) 297-8293
