Death by a thousand cuts - How Chinese hackers compromise Microsoft's cloud
Take action: Security breaches are never one big thing. They are always a series of small compromises, in the spirit of "efficiency", "speed", "success" or something else, because we always assume that some other control somewhere will stop an issue from happening. Try to enforce discipline as much as possible, because it does help.
Learn More
In July, Microsoft disclosed that a China-based hacking group, known as Storm-0558, had infiltrated U.S. government-linked email accounts, compromising 25 organizations and affecting high-ranking American officials, including Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns. The cayse of the breach was a cryptographic key used to generate tokens for unauthorized access.
This article shows the "death by a thousand cuts" or the layers of subsequent holes in the swiss cheese that created the data breach.
Microsoft has revealed that the Chinese hacking group Storm-0558 stole the MSA signing key, which they later used to breach government email accounts, from a Windows crash dump following their compromise of a Microsoft engineer's corporate account.
Cut 1 - save key in crash dump.
During their investigation, Microsoft discovered that the MSA key had inadvertently ended up in a crash dump after a consumer signing system crash in April 2021. Although the crash dump should not have contained signing keys, a race condition caused the key's inclusion.
Cut 2 - save crash dump to internet accessible environment
This crash dump was subsequently moved from Microsoft's isolated production network to its internet-connected corporate debugging environment.
Cut 3 - hack an employee account
The threat have successfully compromising a Microsoft engineer's corporate account, which had access to the debugging environment containing the key erroneously included in the April 2021 crash dump.
Cut 4 - find the diamond in the garbage heap
The hackers accessed the debugging environment and actors the key stored there. Microsoft explained that due to log retention policies, they lacked specific evidence of this exfiltration by the actors, but it was the most likely method they used to acquire the key.
Cut 5 to 1000 - create new tokens and access various services
While initially, Microsoft disclosed that only Exchange Online and Outlook were affected by the breach, it was later revealed that the compromised Microsoft consumer signing key granted Storm-0558 extensive access to Microsoft cloud services, allowing them to impersonate accounts across various applications and services.
What next?
Microsoft responded to the breach by revoking all valid MSA signing keys to prevent unauthorized access to other compromised keys and relocated recently generated access tokens to the key store used by its enterprise systems. After revoking the stolen signing key, Microsoft found no additional evidence of unauthorized access using the same token forging technique.
Furthermore, Microsoft agreed to provide free access to cloud logging data under pressure from CISA to assist network defenders in detecting similar breach attempts in the future.
