SECURITY
SECURITY
SECURITY
Microsoft reveals hackers compromised engineer account to gain access to government accounts
Microsoft Corp. has revealed that alleged Chinese hackers who breached email accounts belonging to U.S. government agencies, including the State Department, earlier this year did so by compromising the account of a Microsoft engineer.
The details were revealed in a post-mortem published today by the Microsoft Security Response Center, which did a deep dive into what the hacking entailed. The hacking group, tracked as Storm-0558 by Microsoft, acquired a Microsoft account consumer key to forge tokens to access Outlook on the web and Outlook.com.
Exactly how the consumer key was obtained is what makes the story interesting. Microsoft’s investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process. The crash dumps are not meant to include the signing key, but in this case, a “race condition” allowed the key to be present in the crash dump.
The crash dump, which contained the key — Microsoft being unaware that it was there — was moved from an isolated production network into Microsoft’s debugging environment on its internet-connected corporate network. Although placing the dump there is part of Microsoft’s standard debugging process, the key was also exposed in the process and subsequently stolen by Storm-0558.
Using the exposed key, the threat actors then successfully compromised a Microsoft engineer’s corporate account. The hackers, at this point, may have been rubbing their hands with glee as that account access then led them to be able to gain access to emails from the State Department, among other arms of the U.S. government.
Exactly who and how many U.S. government agencies and departments had their emails compromised has never been fully revealed, but alongside the State Department, the Commerce Department has also been mentioned as having been compromised as well.
As part of its post-incident review process, Microsoft said that it has been continuously hardening systems as part of its defense-in-depth strategy. Investments have also been made relating to MSA key management.
To ensure that the same thing doesn’t happen again, Microsoft has identified and resolved the race condition that led to the signing key being present in crash dumps. Enhanced prevention, detection and response for key material is now in place for crash dumps.
Microsoft has implemented enhanced credential scanning to do a better job of detecting the presence of signing keys in the debugging environment and released enhanced libraries to automate key scope validation in authentication libraries.
Image: Bing Image Creator
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
