Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government Microsoft

How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials (yahoo.com) 38

An anonymous reader shared this report from Bloomberg: China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...

The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.

Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems." We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

This discussion has been archived. No new comments can be posted.

How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials

Comments Filter:
  • Why did the hackers try to break into Microsoft's email accounts?

    Because they wanted to find the secret recipe for "Micro-chicken" – the Colonel's tech-savvy cousin!

  • Name names.
  • by oblom ( 105 ) on Sunday September 10, 2023 @09:17PM (#63837962) Homepage

    You can see the classic attempt at controlling the bad PR while trying to keep the job:

    "This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

    AKA, we f-ed up, but there's a procedure that was followed, which keeps the Legal away. Also, Marketing, calm down the customers please.

    As well as this masterpiece:

    "Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor"

    AKA, IT budget ate my homework.

    • Re: (Score:3, Informative)

      You can see the classic attempt at controlling the bad PR while trying to keep the job:

      "This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

      AKA, we f-ed up, but there's a procedure that was followed, which keeps the Legal away. Also, Marketing, calm down the customers please.

      As well as this masterpiece:

      "Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor"

      AKA, IT budget ate my homework.

      I don't read this as evasive at all. Even just looking at your "masterpiece", it's very clear. They're not positive this is how the key was exfiltrated, but they're assuming it was. They're not hiding anything. They're even admitting that their procedures and technology were lacking.

      You can say a lot of bad stuff about Microsoft, but pretending this is some kind of damage-control doesn't seem genuine.

    • by misnohmer ( 1636461 ) on Monday September 11, 2023 @05:10AM (#63838446)
      You are sensationalizing it. All they are saying is nobody did anything malicious or negligent, since everyone followed a policy. No policy is perfect, especially in cyber-security. You find holes along the way and patch them. In this case they found a hole in their core dump scanning and a possible attack vector through which the engineer was compromised. Lessons learned were applied.

      This is no different than FAA and their air-worthiness or other rules and processes. They are set with the information we know. As more accidents happen, the FAA rules are amended, air travel safety evolves. If we waited to come up with perfect rules before allowing any planes to fly, no planes would be allowed to fly today.

      Bottom line is no processes or rules are perfect, ever. They continuously evolve as cracks show or needs change. Welcome to the real world.
    • Detailed logs of all of the internet traffic and file access of client workstations including remote workers going back 18 months is a lot to ask. I didn't keep it, back when I was a Sysadmin and IT manager.

    • by Bongo ( 13261 )

      Managing PR would be, noticing there was an easy exploit, and a convoluted five step exploit, and choosing to talk publicly about the convoluted one, whilst not saying it was the convoluted one, because "logging".

      The techniques of lying by omission, and misdirection, are common, and we all turn to them in times of need.

      Anyway, they seem to have admitted that their separate network is not in fact separate.

    • Count the number of times they admit an issue and add "(this issue has been corrected)". Jumping though that many issues across multiple networks including compromising the right employee is quite a feat, that is the eyebrow raising part for me. Feels like they are missing something, and time will tell.

      • by Ksevio ( 865461 )

        A lot of issues seem to have been responsible for it, but it also seems like the attacker got lucky, infiltrated a machine and found a log dump with a key in it

  • by Rosco P. Coltrane ( 209368 ) on Sunday September 10, 2023 @09:23PM (#63837976)

    I've said it for years: private companies using the cloud instead of doing their own IT themselves is bad enough. But when the military and the government farm out their IT needs to incompetent big data companies, this happens.

    If any organizations desperately need to roll out and control their own IT infrastructure and services to guaranty the integrity of the sensitive data they deal with, it's them...

    • by gtall ( 79522 ) on Monday September 11, 2023 @04:43AM (#63838440)

      The farming out started under Reagan. He thought that government shouldn't be doing what private industry could do. So he trusted those nice Beltway Bandits to do the right thing. It's amazing how gormless he was.

      Now if you try to staff up government, there's bleating about the "deep state". Expertise is now seen as suspect. Science is easily denied because the social megaphones are so loud. The general feeling the bleaters have is that they themselves would do what they are bleating about were they in those government positions.

      Working in government is no cakewalk. A good part of the public believes in UFOs, unfounded conspiracy theories, that science is some dodge to get grants, etc. That EPA trying to keep their water clean is a nefarious plot. Now the latest rage is to believe vaccination against COVID is somehow tied to taking their guns. This is what America has come to: denying vaccination works against a serious disease when the studies all show the vaccines do work.

    • Despite this breach I contend that over 95% of companies will get better security hosting their IT with Microsoft than they would trying to host it themselves. Most don't have the time, money, or interest required to onboard and retain the necessary staff, or the expertise to even write down the requirements of such a project.

      Even if the government were to try and bring this infrastructure in house, how would they do it? Probably my making a call to a third party contractor to come in, implement it, and m

      • by Bert64 ( 520050 )

        Most likely yes, but you also create a single target for everyone to aim at.
        If you have thousands of companies each doing their own thing they all need to be attacked individually, a compromise of one has no effect on any others. Some may even end up fairly secure just out of blind luck.

        • by sconeu ( 64226 )

          That's indeed the problem. GP is correct that it's likely got better security (assuming MS knows what they're doing), but Parent is also correct, in that you now have a single point of failure for EVERYTHING.

          As always, it's a risk/reward tradeoff.

      • Despite this breach I contend that over 95% of companies will get better security hosting their IT with Microsoft than they would trying to host it themselves.

        Cloud breach after cloud breach has taught you nothing?

    • Re: (Score:2, Interesting)

      by necro81 ( 917438 )

      But when the military and the government farm out their IT needs to incompetent big data companies, this happens.

      And when the government-owned and operated infrastructure gets hacked, the same folks saying that (like you) will inevitably start complaining "Private companies should be doing this, they're the experts! Roll your own at your peril!"

    • by AmiMoJo ( 196126 ) on Monday September 11, 2023 @07:58AM (#63838658) Homepage Journal

      If ransomware has taught us anything it's that in-housing IT is often a bad idea. It relies on being able to employ skilled and competent staff, and most non-IT people don't even know how to evaluate such things. They best they can do is cover their arses by requiring some worthless certifications.

      You don't see Azure cloud being wiped out by a ransomware attack, or mass hacked due to some bad configuration. What we have here is a scenario that required waiting for a very specific set of circumstances to coincide, and which they anticipated and tried to plan for. I doubt many corporate IT departments could have done even half as well.

    • by brunes69 ( 86786 )

      If you think that government employees would have done a better job, then I have a bridge to sell you in New York.

  • "fresh scrutiny to Microsoft's cybersecurity practices". Yeah, lol! Funny how there was added the word fresh, as to give some hope. When has any scrutiny of that given any results? That organisation does not care, when will people learn? Get out of their claws, what are you waiting for?
  • Help me out here (Score:2, Interesting)

    by martinX ( 672498 )

    Does this mean that the MS engineer possessed, as part of his day-to-day work, the tools to read these emails himself?

    • Re:Help me out here (Score:4, Informative)

      by Chuck Chunder ( 21021 ) on Sunday September 10, 2023 @10:27PM (#63838062) Journal
      Happy to help, you can find a short summary and links with more detail here [slashdot.org]
    • Re: (Score:3, Interesting)

      by micheas ( 231635 )

      Does this mean that the MS engineer possessed, as part of his day-to-day work, the tools to read these emails himself?

      Yes, which goes to a failure of the entire Exchange/Office 365 architecture.

      I don't understand how using Exchange/Office 365 for directory services isn't viewed as base level incompetent from a security perspective. It's like using sendmail instead of postfix or qmail. RedHat/IBM and Google have replacements that are falsely advertised as drop in replacements for active directory that don't have the security history that active directory has. I just don't get how any security audit would fail to flag thi

  • Someone fucked up and c suite need to go
  • Microsoft said the key had been improperly stored within a "crash dump,"

    I think it's time to come up with secure memory segments that are automatically encrypted and aren't included in crash dumps. Programming languages could add a keyword to indicate variables that should be stored in that region of memory.

    • In the MS post it says the keys weren't supposed to be in the dump. I wonder if that means they've implemented something along these lines? I don't know.

      Hardware-based solutions exist for high value crypto keys exist, where the key never leaves the dedicated hardware and any app that uses it would have to ask it to perform the signing operation. Perhaps something like that would be more appropriate for this application?

  • "Our credential scanning methods did not detect its presence (this issue has been corrected)."

    Scanning binary blobs for sensitive information will always be a heuristic prone to false negatives and false positives. It's a good tactic but not the right solution to this problem. The real bug here is that they were using what seems like a very sensitive signing key held in memory, rather than a one held in a Hardware Security Module (HSM). That key should have been created in the HSM and done all it's signing

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...