Chinese Hackers Raided US Government Email Accounts By Exploiting Microsoft Cloud Bug

Chinese hackers exploited a flaw in Microsoft's cloud email service to gain access to the email accounts of U.S. government employees, the technology giant has confirmed. From a report: The hacking group, tracked as Storm-0558, compromised approximately 25 email accounts, including government agencies, as well as related consumer accounts linked to individuals associated with these organizations, according to Microsoft. [...]

Microsoft's investigation determined that Storm-0558, a China-based hacking group that the firm describes as a "well-resourced" adversary, gained access to email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user accounts.

Don't worry, everything was PGP encrypted!

[Murdoch5]

The great thing about proactive security, is that even if someone were to access the account, it doesn't matter. Since PGP is always used to encrypt and sign emails, and the keys used to decrypt the emails are on the computers, so nothing could have been exposed.

Of course the reality is different, and very few people encrypt their emails, but maybe this can be a wake-up call? It won't, but it should be.

Re:

[ctilsie242]

The ironic thing is that if something like a YubiKey was used to store the PGP key, PGP would be a very effective way to ensure mails are stored securely. For recovery purposes, an ADK could be added (and stored in an HSM) so if the user left the company, documents would still be decryptable.

Sometimes the simplest things are the best. I do wish YubiKey had more options for PGP/GPG key storage, like the ability to store multiple keys, but it does a good job at what it does, and provides not just a PIN, but

Re:

[Murdoch5]

I agree, and I think the default stance should be PGP is built in and turned on, for all email services. It would require people learning better email habits, but if you fix email, you solve 99.9% of all security issues. If you then pair that with a containerized OS, or an OS where email can be "fully" walled off into an enclave, you'd probably solve 99.99% of all security issues from the IT / InfoSec user prospective.

Re:

[ctilsie242]

I'd also like to see some more work in PGP key storage devices, perhaps on the level of a HSM, where the PGP key can be backed up encrypted or transferred to a new HSM, but never stored in the clear. That way, one doesn't worry about losing everything if their key is lost, but an attacker would never have the ability to get the unprotected key material.

Because people, for the most part, rely on the magic lock icon and the mail provider to handle security, we wind up in these situations. I had similar happ

Re:

[Murdoch5]

I completely agree, we need quality HSM, we need to force adoption, and we need to educate people. We should really redesign email clients, so they don't work off 40-year-old SMTP, and instead modernize the email experience to be a cryptographically validated chain that ties through a person's digital life.

Where each device can add a validation, so not only do I have PGP, I have PGP-D (device) validation. Where my key vouches I should be X, but then each device can co-vouch against X. I'm at my desk, wit

Re:

[geekmux]

The great thing about a captured audience full of clickbait addicts, is it only takes 25 compromised accounts that happen to "include" government agencies (meaning one account was found), which resulted in clickbait pimps going fucking batshit crazy and calling that shit a "raid" on the United States Government by "Chinese hackers".

It's unreal thinking about the truly ignorant shit History is going to be forced to document as the actual reason this planet will engage in yet another World War, but one thing

Fundamentally flawed technology

[micheas]

Active Directory is much like Sendmail.

Both of them theoretically can be secured but they have flawed architectures that make vulnerabilities likely. The best course of action if you have a well resourced adversary is to simply ban the product. I'd use Postfix or possibly Qmail instead of Sendmail, and I'd use something like Google's directory service over Active Directory.

At this point using Outlook and Active Directory in an environment with well resourced threat actors s just incompetence.

Re:

[Tony Isaac]

And you think these alternative products will withstand an attack by a foreign government? Good luck with that.

Re: Fundamentally flawed technology

[micheas]

Since google rearchitected following the Snowden leaks about how the NSA has compromised google they have claimed to be confident that neither the Chinese government nor the NSA have compromised accounts with advanced protection enabled.

Their security program is pretty extreme

Re:

[Tony Isaac]

There is no such thing as a totally secure system, physical or digital. There are always weak points, for those who are willing to spend enough money to find and exploit them. Bank vaults, Presidential safe rooms, NORAD--they can all be attacked. So can the best-designed digital security apparatus. Every system has tradeoffs, because in the end, you want authorized users to actually be able to *use* the system. And that always necessitates opening up holes in the otherwise airtight security. And government-

Re:

[ctilsie242]

The best thing is defense in depth. You start with AD/AAD as one tier. The email gets sent to the recipient over a TLS protected connection, and the sender and receiver should have GPG or S/MIME keys, ideally on a YubiKey or other hardware device with a button on it. This way, the actual email messages are protected while sitting, they are further secured in flight, and AD/AAD provides authentication.

I'm surprised that S/MIME is not more common, as it forces an attacker to compromise an endpoint in order

Re:

[gweihir]

Postfix is nixe. Complex, but things make sense and you can ignore most of the complexity if you do not need it. Had to drop Qmail because of the insanity that DJB practiced back then (don't know whether he still does it) with regards to time management.

I believe the only sane thing you can do with AD and Outlook and Exchange is scrap them. Completely unfixable crap that creates much more problems than they solve.

Re:

[Anonymous Coward]

...who have to trawl through all that inane drivel. Can you imagine the poor souls having to go through Lauren Boebert's & Marjorie Taylor Green's emails? That could arguably be considered a cruel & inhumane punishment.

While I understand your veiled attempt at humor, it highlights the fact that you have never had to endure the pain and suffering of living under a communist regime.

Fucking strange when Hitler invokes Godwin, while Mao invokes humor and ignorance.

Nobody ever got fired ....

[Big Hairy Gorilla]

for contracting IBM
I mean Amazon
I mean Oracle
I mean Peoplesoft
I mean SAS
I mean ..... Microsoft.....

Re:

[ISoldat53]

Ah, the good old days. I remember those ads.

This is an outrage!

[myowntrueself]

The USA would never do anything like this!

How dare China do something like this to such a peaceful nation that never spies on anyone!

Transparency

[devloop]

Will the Chinese hackers be honoring FAF requests? If so, that alone would be a substantial improvement over government agencies.

Re:

[devloop]

*FOIA* (typo).

Lol

[r1348]

And you wanted to award JEDI to these asshats?

aaand, will the US gov't do anything Back? No.

[iluvcrap2000]

Pfft, The Gov't/Administration is a waste of power. They Will do jack shit in Retaliation to the Chinese. They Should start Sanctioning them and start banning buisiness. Strangle their Economy and watch their country Implode.

How to hire a white hat hacker

[Lilian838]

The best way to help secure your account and information from any attack is with a white hat hacker which make me to recommend Remotespyhacker @ gm ail c om for such services. He recovers deleted files/messages, photos, delete criminal record, recover gm ail account and many more. reach out to him if in need of a hacker

Digital Asset/USDT Recovery!!!

[spnsdante]

" Cryptocurrency investment scammers are out there again targeting harmless United States Citizens. You find them littering their ads on Youtube, Social networks, google classifieds, and even sometimes your local news ads. I am a victim of these rippers' ridiculous acts. First, they reach out like your friends or well-wishers, then lure you into believing and investing hugely in a fake crypto-Ponzi with hopes of you cashing out heavily from your profits. I did invest 438,000.00 USDT of my digital assets onl