Microsoft has revealed that a 2021 consumer signing system crash dump inadvertently led to Chinese-backed hackers waging an attack on the US State Department and a host of global businesses.
A threat actor group known as Storm-0558 was identified as the culprit for the July hacking campaign, which resulted in the exposure of State Department officials’ email communications.
A compromised engineer’s corporate account is said to have given hackers access to Outlook and critical company systems, according to details from Microsoft’s long-awaited post-mortem of the incident.
“China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com,” the firm said in a blog post.
“Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email.”
Microsoft’s investigation revealed the compromised corporate account enabled attackers to gain access to a debugging environment containing information on a crash of a consumer signing system dated to April 2021.
Ordinarily, ‘crash dumps’ redact sensitive information, such as signing keys, Microsoft said. However, a race condition bug meant that a signing key was present in the crash dump.
This dump was subsequently moved from an isolated production network to a debugging environment, meaning hackers were able to access the key’s materials.
“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account,” Microsoft said.
“This account had access to the debugging environment containing the crash dump which incorrectly contained the key.”
Attackers then used the stolen MSA key to successfully breach Exchange Online and the Azure Active Directory (AD) accounts of more than 20 organizations globally.
A host of US government agencies, including the State Department and Commerce Department, were affected by the breach.
The incident underlines the potential knock-on effect of security mishaps elsewhere in Microsoft’s ecosystem, which the threat actor group exploited to devastating effect.
Microsoft under fire
Microsoft was subject to intense criticism in the wake of the July hacking campaign, with industry stakeholders and lawmakers alike criticizing its response to the incident.
Do you use Microsoft 365? Mitigate risks and close the potential gaps in your email security.
DOWNLOAD FOR FREE
Tenable CEO Amit Yoran accused the tech giant of “negligent practices” for its response to security vulnerabilities in recent years, specifically highlighting the espionage campaign in a public broadside against the firm.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices, and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Yoran said at the time.
Yoran’s critique followed calls from US Senator Ron Wyden for an investigation into Microsoft’s security practices, with Wyden also describing the firm as “negligent”.
This intense pressure prompted Microsoft to issue a rare public rebuttal to the criticism from Yoran and lawmakers in early August.
The tech giant strongly denied claims of negligence and insisted it had not left customers “in the dark” during its response to vulnerabilities and security incidents.
