Microsoft Explains Most Recent Chinese Email Hack – Humans
As is often the case, humans and process represent the biggest failure window.
Microsoft, to its credit, is being public about its own failures and pretty quickly.
The Chinese hackers, Storm-0558, obtained a “golden cryptographic key” which allowed them to generate tokens so that they could masquerade as other users. I don’t know why you would architect a system to require such a thing, but they did. It appears that it may have been done as a shortcut to fixing a different problem, which would have been way harder to fix.
In theory, keys like these are stored in an isolated network protected by robust controls, isolated away from the Internet.
Going back to 2021, there was a failure which generated a crash dump in their production environment. The crash dump contained a copy of the golden key that should not exist (in my opinion).
Microsoft says that their standard process is to move the crash dump from that isolated environment to an Internet connected one to troubleshoot the problem.
Both before and after the move the dump was scanned and those scans should have detected the key. They did not. This issue has been fixed, they say.
Then China compromised a Microsoft engineer’s account (yes, they are human) and stole the key. The rest is history.
As Microsoft tried to converge enterprise and consumer environments, there should have been a check to make sure that a consumer key was not being used to access an enterprise account. That was not in place and has also been fixed. SO, when the Microsoft engineer was compromised, the hackers were able to steal a truly golden key.
It turns out that this golden key could forge tokens for more than just email, but it is possible either that the hackers were detected before they could abuse that or didn’t realize it.
Bottom line, secure software development practices are critical to detecting issues like these, although nothing is perfect and application penetration testing is important as well.
Also, make sure those soft squishy failure points (the humans) are continuously trained and tested.
There is no easy solution, but you have to work at it.
Need help with this – please contact us.
Credit: The Register