Over the course of a month in May/June 2023, hundreds of thousands of emails belonging to Microsoft customers were exposed to a hacker labelled Storm-0558, probably located in China. Affected were some 25 organizations including government agencies, civil society groups, and senior U.S. officials such as the U.S. secretary of commerce. This happened because of a chain of security failures in the security management system underlying Microsoft web services, as reported by Microsoft in September 2023:
- An April 2021 snapshot of a signing system crash contained a Microsoft account (MSA) consumer signing key. This key remained undetected by the system.
- This “crash dump” with the, still undetected, signing key was later moved from the protected network to the internet connected corporate network.
- It is assumed that the signing key then got into the hacker’s hand through a compromised Microsoft engineer’s corporate account – however, logs of this particular event do not seem to be available.
- This MSA consumer key was used to sign an authentication token, in lieu of an Azure AD key, exploiting a key scope validation error and thereby acquiring access to enterprise mail in the Outlook Web App (OWA) and Outlook.com.
This breach was logged, but this logging feature was invisible to non-premium service subscribers, which likely contributed to the hack going unnoticed for an entire month.
Microsoft reports all issues that lead to this breach have been addressed, e.g. via changes to the MSA key management, to avoid future exploitation of crash dumps and scope validation issues. As announced last month, further post-incident hardening includes plans to move identity signing keys to an integrated Cloud HSM and to automate key rotation. Once implemented, this hopefully will keep Microsoft customers’ accounts safe.
Meanwhile, Cryptomathic provides secure-by-design mitigation measures against this kind of attack. Its key management offering delivers best-practice, crypto-agile key management where keys are protected for the entire key life-cycle, with centralized crypto policy enforcement, in scalable cryptographic hardware (HSMs) or cloud-based ESMs (Enclave Security Modules). It provides extensive tamper-proof logging, and a crypto-agile API to simplify utilization.
Click here and speak to our experts today and discover how we can help you protect your valuable and critical data.
/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
Edlyn Teske
