After leaving many questions unanswered, Microsoft explains in a new post-mortem a series of missteps that allowed attackers to steal and misuse valuable encryption keys.

Microsoft said in June that a Chinese-backed hacking group had stolen keys from the company’s systems. The key allowed attackers to access the cloud-based Outlook email systems of 25 organizations, including several US government agencies. However, at the time of the disclosure, Microsoft did not explain how hackers were able to compromise such a sensitive and highly confidential key, or how they were able to use the key to move between consumer and enterprise tier systems. But a new post-mortem analysis released by the company on Wednesday explains a series of blunders and oversights that led to the improbable attack.

Such encryption keys are very important in cloud infrastructure because they are used to generate authentication “tokens” that prove a user’s identity when accessing data and services. Microsoft said it stores these sensitive keys in “production environments” that are isolated and have strict access controls. But during a particular system crash in April 2021, the crux of the matter was an accidental slip-through of data caches outside the protected zone.

Learn more about stress testing Microsoft’s AI red team has proven itself

You Got Mail: How a cloud flaw gave Chinese spies the key to Microsoft’s kingdom

Sign and deliver New supply chain attack claims nearly 100 victims, leads point to China

“All the best hacks are death by 1,000 cutouts, not exploiting one bug and getting everything,” says Jake Williams, a former NSA hacker who now teaches at the Applied Institute. ) explain. cyber security.

Also Read:  Google's New Feature Ensures Your Pixel Phone Hasn't Been Hacked. Here’s How It Works

After a fatal crash of the consumer signature system, the encryption keys ended up in an automatically generated “crash dump” of data about what happened. Microsoft’s system was designed so that signing keys and other sensitive data would not show up in crash dumps, but this key slipped through a bug. To make matters worse, systems built to detect erroneous data in crash dumps cannot sign encryption keys.

With the crash dump seemingly vetted and cleaned, it was moved from the production environment to Microsoft’s “debug environment,” a sorted and vetted area connected to the company’s regular corporate network. However, scans designed to spot the accidental inclusion of credentials again failed to detect the presence of keys in the data.

After all of this happened, in April 2021, a Chinese spy group (called Storm-0558 by Microsoft) hacked into the company account of a Microsoft engineer. Using this account, an attacker could gain access to the debugging environment where unfortunate crash dumps and keys are stored. Microsoft says it no longer has logs from this era that directly show compromised account leak crash dumps, “but this is the most likely mechanism by which an attacker could obtain the keys.” Armed with this important discovery, attackers were able to Start generating legitimate Microsoft account access tokens.

Another unanswered question about the incident is how attackers used keys from consumer signature system crash logs to penetrate corporate email accounts of organizations such as government agencies. Microsoft said on Wednesday that this was possible because of a flaw in an application programming interface the company provides to help customer systems cryptographically verify signatures. The API has not been fully updated with libraries that can verify whether a system should accept tokens signed with a consumer key or an enterprise key, so many systems could be tricked into accepting either.

Also Read:

The company said it has fixed all the bugs and lapses that accumulated exposed keys in the debug environment and allowed it to sign tokens accepted by enterprise systems. But the overview did not describe how the attackers compromised the engineer’s company account, and Microsoft did not immediately respond to WIRED’s request for comment on how the account breach occurred. Adrian Sanabria, an independent security researcher, said this is important information to fully understand how the attack was carried out. He also added that the fact that Microsoft kept limited logs during this time is significant. As part of its overall response to the Storm-0558 hacking craze, the company said in July it would expand its free cloud logging capabilities.

“This is particularly noteworthy because one of the complaints against Microsoft is that they don’t have security success for their own customers,” Sanabria said. “Logs are disabled by default and security features are add-ons that require additional spending or more premium licenses. It appears they themselves have been affected by this practice.”

As the Applied Cybersecurity Institute’s Williams points out, organizations like Microsoft must face highly motivated and well-resourced attackers who are unusually capable of exploiting even the most esoteric or impossible bugs. He said that by reading Microsoft’s latest update on the situation, he has a better understanding of why the situation is developing the way it is.

“You only hear highly sophisticated hacks like this in an environment like Microsoft,” he said. “In any other organization, security is relatively weak, so hacking doesn’t need to be sophisticated. Even when environments are very secure, they often lack the telemetry and retention data needed to investigate such incidents. Microsoft is a rare simultaneous Organizations that have both. Most organizations don’t even store logs like this for months, so it’s impressive to me how much telemetry they have.”

Also Read:

Categories: Security