At a glance.
- Microsoft releases results of investigation into cloud email compromise.
- Vulnerability affects booking service.
- Adversary emulation for OT networks.
- Identity protection and identity attack surfaces.
- Estonia warns of ongoing cyber threats.
Microsoft releases results of investigation into cloud email compromise.
Microsoft has published the results of its investigation into how a Chinese threat actor was able to obtain a Microsoft account consumer key, which it used to forge tokens to access OWA and Outlook.com. Redmond's investigator's found that the threat actor (tracked as “Storm-0558”) compromised a Microsoft engineer’s corporate account, which had access to the crash dump containing the key. The company said, “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.” The report outlines how the incident apparently unfolded. “Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (‘crash dump’). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected). We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).”
Storm-0558 is a Chinese cyberespionage actor. The crash dump incident saw it compromise cloud-based Outlook email systems used by at least twenty-five organizations, including several US Government agencies, the State Department among them. For more on the incident, see CyberWire Pro.