Microsoft Signing Key Stolen by Chinese
Microsoft still doesn’t know — or want to share — how China-backed hackers stole a key that allowed them to stealthily break into dozens of email inboxes, including those belonging to several federal government agencies.
In a blog post Friday, Microsoft said it was a matter of “ongoing investigation” how the hackers obtained a Microsoft signing key that was abused to forge authentication tokens that allowed the hackers’ access to inboxes as if they were the rightful owners. Reports say targets include U.S. Commerce Secretary Gina Raimondo, U.S. State Department officials and other organizations not yet publicly revealed.
Dan Goodin (via Hacker News):
In standard parlance among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services.
[…]
While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and twoothers Microsoft published Tuesday, bend over backward to avoid the words “vulnerability” or “zero-day.” Instead, the company uses considerably more amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how nation-state hackers tracked the email accounts of some of the company’s biggest customers.
[…]
A plain-English summary of the event would seem to be: Microsoft has patched three vulnerabilities in its cloud service that were discovered after Storm-0558 exploited them to gain access to customer accounts. It would also be helpful if Microsoft provided a tracking designation under the CVE (Common Vulnerabilities and Exposures) system the way other cloud companies do. So why doesn’t Microsoft do the same?
[…]
Besides being opaque about the root cause of the breach and its own role in it, Microsoft is under fire for withholding details that some of the victims could have used to detect the intrusion, something critics have called “pay-to-play security.”
Shir Tamari (via Hacker News):
Microsoft have said that Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique, but Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services. Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.
Dan Goodin (via Hacker News):
The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices“ that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure’s role in the mass breach.
[…]
Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran wrote.
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.
Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.
I believe this all traces back to SolarWinds.
Previously:
Update (2023-09-08): Microsoft (via Michael Love, Hacker News):
Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).
We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key.
Microsoft has said that roughly 25 organizations had one or more of their accounts breached in the campaign, which began on May 15 and lasted until June 16. Microsoft wasn’t aware of the mass hack until a customer tipped it off.
"Microsoft Signing Key Stolen by Chinese"
Typical U.S. arrogance to blame someone else. In reality the only one to blame is Microsoft. Their crap code crashed, an employee got hacked and their signing code fucked up..