[German]Is Microsoft and its handling of vulnerabilities in its products now the "top cyber risk"? The hack of Microsoft Azure services by the suspected Chinese group Storm-0558, made possible by a stolen private MSA key, seems to have been the straw that broke the camel's back. U.S. senators have brought the incident and Microsoft's irresponsible handling of security to the table in a hissy letter to U.S. institutions, demanding investigations or consequences.
Desaster: Microsofts Azure Cloud Hack
The ast straw that seems to have broken the camel's back is the intrusion of attackers into Exchange Online and outlook.com accounts. At first, all that was known was that the suspected China-based hacker group Storm-0558 had managed to attack the Microsoft cloud. It was said that in June 2023, the group had managed to gain access to email accounts stored in the Microsoft Cloud belonging to about 25 organizations. These include government agencies (US Department of State), as well as corresponding private accounts of people who are likely to be associated with these organizations.
The incident became explosive because Microsoft, dressed up in a lot of text, had to admit that the attackers came into possession of a private (MSA) customer key for Microsoft accounts. This MSA key could be used to generate (forge) security tokens. But these security tokens could not only be used for private Microsoft accounts (e.g. Outlook.com). Due to bugs in the Azure services code, the security tokens were not verified correctly and allowed access to Azure AD accounts (now called IntraID accounts).
I had reported about that incidend in the blog postChina hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud. In a 2nd post Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark I reported further details that were made public by Microsoft in a follow-up post.
The issue became even more explosive when security researchers at Wiz made it public that the compromised Microsoft key is a "skeleton key" that can be used for Microsoft's MSA tenant in Azure. This not only opens up access to outlook.com and Exchange Online, but also allowed security tokens to be generated for Azure applications. The conclusion to be drawn from this is that the entire Azure services, including Azure apps, must be considered compromised since this incident. I had taken up this issue in the 3rd blog post Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services. The attackers had been on the Microsoft cloud since at least May 2023.
US Senator Ron Wyden attacks Microsoft
Daniela had already pointed out to me on Monday, July 31, 2023, that the above case will not simply disappear under the carpet without a sound. There is a harsh letter (PDF) from U.S. Senator Ron Wyden, which has been send to Attorney General Merrick Garland (DOJ), Federal Trade Commission (FTC) Chairwoman Lina Khan, and Director of the Cyber Authority (CISA) Jen Easterly. Wyden accuses Microsoft of negligent handling of security issues.
Hair-raising details of security incident
In his letter, the U.S. senator Ryden published some hair-raising information that I had not previously been aware of and that Microsoft had not communicated. Even with the few details that have come to light so far, Microsoft bears significant responsibility for this new incident, the letter says. Here is a list of "the horror":
- Microsoft should never have had a single "master key" that could be used in the event of theft to allow access to various customers' private communications through forged tokens.
- After the SolarWinds incident, Microsoft had hifhglighted the importance of storing such keys in a high-security module (HSM) to prevent theft. According to the letter, the private MSA key was moved to a "hardened key store for Microsoft's enterprise systems" after the incident. That raises legitimate questions about the company's reliability and whether it is complying with its own security policies.
- The MSA key used in the above hack was created by Microsoft in 2016 and expires in 2021. It is incredible and inexplicable that this expired MSA key could be used to generate security tokens (suggests the code used for verification, in which Microsoft has now closed three vulnerabilities).
In the letter, Senator Wyden then also writes that federal cybersecurity guidelines, industry best practices, and Microsoft's own recommendations to customers dictate that such keys must be renewed more frequently because they could be compromised, has been violated. Authentication tokens signed with an expired key should never be accepted as valid. The senator say that Microsoft engineers should never have set up systems that violate such basic cybersecurity principles. And Microsoft's security culture prevented these obvious vulnerabilities from coming to light during internal and external security audits.
Security risk Microsoft
The fact that these vulnerabilities were not discovered, according to the U.S. Senator, raises the question of what other serious cybersecurity flaws the auditors also overlooked. As a result, virtually the entire Microsoft cloud must be considered compromised in principle. Ultimately, it would now have to be "throw out the stuff, the provider is not reliable because it has had the central key with access to everything stolen".
US Congress is investigating
Addendum: I just read in this article that both chambers of the US Congress (Senate, House of Representatives) are investigating the "email hack" at Microsoft. The trigger was the above mentioned letter of the US Senator.
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Cookies helps to fund this blog: Cookie settings