How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials (yahoo.com) 38
An anonymous reader shared this report from Bloomberg:
China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.
The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...
The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.
Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems." We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.
The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...
The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.
Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems." We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.
ChatGPT's jokes are getting better. Maybe (Score:1, Offtopic)
Why did the hackers try to break into Microsoft's email accounts?
Because they wanted to find the secret recipe for "Micro-chicken" – the Colonel's tech-savvy cousin!
Who (Score:2)
Re: (Score:3)
Name names.
Ned Isakoff.
This one is a classic (Score:5, Insightful)
You can see the classic attempt at controlling the bad PR while trying to keep the job:
"This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
AKA, we f-ed up, but there's a procedure that was followed, which keeps the Legal away. Also, Marketing, calm down the customers please.
As well as this masterpiece:
"Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor"
AKA, IT budget ate my homework.
Re: (Score:3, Informative)
You can see the classic attempt at controlling the bad PR while trying to keep the job:
"This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
AKA, we f-ed up, but there's a procedure that was followed, which keeps the Legal away. Also, Marketing, calm down the customers please.
As well as this masterpiece:
"Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor"
AKA, IT budget ate my homework.
I don't read this as evasive at all. Even just looking at your "masterpiece", it's very clear. They're not positive this is how the key was exfiltrated, but they're assuming it was. They're not hiding anything. They're even admitting that their procedures and technology were lacking.
You can say a lot of bad stuff about Microsoft, but pretending this is some kind of damage-control doesn't seem genuine.
Re:This one is a classic (Score:4, Insightful)
This is no different than FAA and their air-worthiness or other rules and processes. They are set with the information we know. As more accidents happen, the FAA rules are amended, air travel safety evolves. If we waited to come up with perfect rules before allowing any planes to fly, no planes would be allowed to fly today.
Bottom line is no processes or rules are perfect, ever. They continuously evolve as cracks show or needs change. Welcome to the real world.
Re: (Score:2)
Detailed logs of all of the internet traffic and file access of client workstations including remote workers going back 18 months is a lot to ask. I didn't keep it, back when I was a Sysadmin and IT manager.
Re: (Score:2)
Managing PR would be, noticing there was an easy exploit, and a convoluted five step exploit, and choosing to talk publicly about the convoluted one, whilst not saying it was the convoluted one, because "logging".
The techniques of lying by omission, and misdirection, are common, and we all turn to them in times of need.
Anyway, they seem to have admitted that their separate network is not in fact separate.
Re: (Score:2)
Count the number of times they admit an issue and add "(this issue has been corrected)". Jumping though that many issues across multiple networks including compromising the right employee is quite a feat, that is the eyebrow raising part for me. Feels like they are missing something, and time will tell.
Re: (Score:2)
A lot of issues seem to have been responsible for it, but it also seems like the attacker got lucky, infiltrated a machine and found a log dump with a key in it
Re: (Score:1)
Blaming MS because 3rd party consumers of their software embedded it in PLCs making it virtually impozzible to retire in any menaningful timeframe.....
You have serious reality issues. I suspect the drugs don't work.
Re: (Score:2)
Backwards compatibility is their biggest selling point, giving that up would be business suicide.
If they dropped backwards compatibility such that you had to migrate all of your applications and data anyway, why would you buy the new incompatible MS product rather than a free option like linux?
Well color me surprised... (Score:5, Insightful)
I've said it for years: private companies using the cloud instead of doing their own IT themselves is bad enough. But when the military and the government farm out their IT needs to incompetent big data companies, this happens.
If any organizations desperately need to roll out and control their own IT infrastructure and services to guaranty the integrity of the sensitive data they deal with, it's them...
Re: (Score:2)
Of course I have a job! A well-paid, cushy job that leave me a plenty of free time to do other things :)
I know Amazon fulfillment center workers don't have that luxury, but don't be jealous...
Re: (Score:2)
Without guys like him, slashdot would have no content.
Re:Well color me surprised... (Score:5, Insightful)
The farming out started under Reagan. He thought that government shouldn't be doing what private industry could do. So he trusted those nice Beltway Bandits to do the right thing. It's amazing how gormless he was.
Now if you try to staff up government, there's bleating about the "deep state". Expertise is now seen as suspect. Science is easily denied because the social megaphones are so loud. The general feeling the bleaters have is that they themselves would do what they are bleating about were they in those government positions.
Working in government is no cakewalk. A good part of the public believes in UFOs, unfounded conspiracy theories, that science is some dodge to get grants, etc. That EPA trying to keep their water clean is a nefarious plot. Now the latest rage is to believe vaccination against COVID is somehow tied to taking their guns. This is what America has come to: denying vaccination works against a serious disease when the studies all show the vaccines do work.
Re: (Score:2)
Despite this breach I contend that over 95% of companies will get better security hosting their IT with Microsoft than they would trying to host it themselves. Most don't have the time, money, or interest required to onboard and retain the necessary staff, or the expertise to even write down the requirements of such a project.
Even if the government were to try and bring this infrastructure in house, how would they do it? Probably my making a call to a third party contractor to come in, implement it, and m
Re: (Score:2)
Most likely yes, but you also create a single target for everyone to aim at.
If you have thousands of companies each doing their own thing they all need to be attacked individually, a compromise of one has no effect on any others. Some may even end up fairly secure just out of blind luck.
Re: (Score:2)
That's indeed the problem. GP is correct that it's likely got better security (assuming MS knows what they're doing), but Parent is also correct, in that you now have a single point of failure for EVERYTHING.
As always, it's a risk/reward tradeoff.
Re: (Score:2)
Despite this breach I contend that over 95% of companies will get better security hosting their IT with Microsoft than they would trying to host it themselves.
Cloud breach after cloud breach has taught you nothing?
Re: (Score:2, Interesting)
And when the government-owned and operated infrastructure gets hacked, the same folks saying that (like you) will inevitably start complaining "Private companies should be doing this, they're the experts! Roll your own at your peril!"
Re:Well color me surprised... (Score:4, Insightful)
If ransomware has taught us anything it's that in-housing IT is often a bad idea. It relies on being able to employ skilled and competent staff, and most non-IT people don't even know how to evaluate such things. They best they can do is cover their arses by requiring some worthless certifications.
You don't see Azure cloud being wiped out by a ransomware attack, or mass hacked due to some bad configuration. What we have here is a scenario that required waiting for a very specific set of circumstances to coincide, and which they anticipated and tried to plan for. I doubt many corporate IT departments could have done even half as well.
Re: (Score:2)
If you think that government employees would have done a better job, then I have a bridge to sell you in New York.
Re: (Score:2)
^ This is exactly right.
fresh scrutiny (Score:2)
Help me out here (Score:2, Interesting)
Does this mean that the MS engineer possessed, as part of his day-to-day work, the tools to read these emails himself?
Re:Help me out here (Score:4, Informative)
Re: (Score:3, Interesting)
Does this mean that the MS engineer possessed, as part of his day-to-day work, the tools to read these emails himself?
Yes, which goes to a failure of the entire Exchange/Office 365 architecture.
I don't understand how using Exchange/Office 365 for directory services isn't viewed as base level incompetent from a security perspective. It's like using sendmail instead of postfix or qmail. RedHat/IBM and Google have replacements that are falsely advertised as drop in replacements for active directory that don't have the security history that active directory has. I just don't get how any security audit would fail to flag thi
Ok who was fired (Score:2)
Secure Memory (Score:2)
I think it's time to come up with secure memory segments that are automatically encrypted and aren't included in crash dumps. Programming languages could add a keyword to indicate variables that should be stored in that region of memory.
Re: (Score:2)
In the MS post it says the keys weren't supposed to be in the dump. I wonder if that means they've implemented something along these lines? I don't know.
Hardware-based solutions exist for high value crypto keys exist, where the key never leaves the dedicated hardware and any app that uses it would have to ask it to perform the signing operation. Perhaps something like that would be more appropriate for this application?
Security Hardware (Score:2)
"Our credential scanning methods did not detect its presence (this issue has been corrected)."
Scanning binary blobs for sensitive information will always be a heuristic prone to false negatives and false positives. It's a good tactic but not the right solution to this problem. The real bug here is that they were using what seems like a very sensitive signing key held in memory, rather than a one held in a Hardware Security Module (HSM). That key should have been created in the HSM and done all it's signing