How Storm-0558 got a Microsoft consumer key: it came from the crash dump.
How a Chinese threat actor got a Microsoft signing key.
Microsoft has published the results of its investigation into how a Chinese threat actor was able to obtain a Microsoft account consumer key, which it used to forge tokens to access OWA and Outlook.com:
“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (‘crash dump’). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).
“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).”
Compromise explained with an argument to best explanation.
Microsoft found that the threat actor (tracked as “Storm-0558”) compromised a Microsoft engineer’s corporate account, which had access to the crash dump containing the key. The company notes, “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”
A complicated failure enabled cyberespionage.
Storm-0558 is a Chinese cyberespionage actor. The crash dump incident saw it compromise cloud-based Outlook email systems used by at least twenty-five organizations, including several US Government agencies, the State Department among them. Much of the commentary on the results of Microsoft's investigation have been derisive--the Verge, for example, describes the causes as "a Rube Goldberg chain of failures" (translation for readers in the UK: for "Rube Goldberg" read "Heath Robinson").
WIRED has a similar take, calling the compromise a "comedy of errors," but concludes with a long quotation from Jake Williams of the Institute for Applied Network Security who puts it into a more sympathetic context: “You'll only hear about highly complex hacks like this in an environment like Microsoft's. In any other organization, the security is relatively so weak that a hack doesn't need to be complex. And even when environments are pretty secure, they often lack the telemetry—along with the retention—needed to investigate something like this. Microsoft is a rare organization that has both. Most organizations wouldn't even store logs like this for a few months, so I'm impressed that they had as much telemetry as they did."
Limiting the risk of signing key compromise.
Microsoft says it’s implemented the following measures to prevent this from happening in the future:
- “Identified and resolved race Condition that allowed the signing key to be present in crash dumps
- “Enhanced prevention, detection, and response for key material erroneously included in crash dumps
- “Enhanced credential scanning to better detect presence of signing key in the debugging environment
- “Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation.”