Microsoft: how the Chinese hacked us

Bugs and coincidences appear to have allowed the Chinese hacking group Storm-0558 to steal an MSA private key from Microsoft and gain access to the accounts of various organizations as well as US government agencies.

The full extent of the breach is currently unknown, as the MSA key allowed the hacking team to access almost any cloud account at Microsoft.

china flag digital

Microsoft has published the results of its research on the specific topic on the MSRC blog.

But the company's analysis looks like a poorly written script, as it presents a chain of events that allowed the hacking team to obtain the key and use it to access online accounts.

Let's see what happened according to Microsoft.

A consumer signing system stopped working in April 2021. This resulted in the creation of a crash dump (a file that records why the service stopped working). These crash dumps should not include sensitive information such as signing keys, but in this particular case, the signing key was present in the crash dump.

Τα συστήματα ασφαλείας δεν εντόπισαν την παρουσία του κλειδιού. Όλα αυτά συνέβησαν σε ένα “ιδιαίτερα απομονωμένο και περιορισμένο περιβάλλον παραγωγής”, σύμφωνα με τη Microsoft. Τα στοιχεία ελέγχου των εργαζομένων περιλαμβάνουν ελέγχους ιστορικού, background checks, ελέγχους σε dedicated accounts, secure access workstations, αλλά και ελέγχους σε hardware token device-based -factor authentication. Το ίδιο το περιβάλλον δεν επιτρέπει τη χρήση email, διασκέψεων, διαδικτυακής and other collaboration tools.

If the crash dump remained in such an isolated environment, hackers would not be able to obtain it. But since there was no indication of errors and the scans did not detect the presence of the key, it was moved from the isolated environment to an "open" debugging environment. The latter is connected to the Internet and the Microsoft corporate network.

Some time after April 2021 and the transfer of the crash dump to the debug environment, the hacking group Storm-0558 managed to compromise the corporate account of a Microsoft engineer. This account had access to the debug environment that contained the key in question.

Microsoft says it can't use log files to verify its case due to "log retention policies" but believes the hacking team managed to download this dump and then discovered the presence of the key.

This allowed hackers to gain access to Enterprise emails. Microsoft also says in its post that several libraries used to validate signatures were not updated, which led to the mail system accepting a request for Enterprise email using a consumer key token.

Microsoft claims to have fixed all the issues, and in particular, fixed key detection in crash dumps, improved credential scanning in debugging environments, and released “enhanced libraries”.

Sleep tight…. The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

One Comment

Leave a Reply
  1. In banks, employees learn that: no bank fraud is ever done with just one employee. At least two or more are required.

    IT professionals are taught that: no damage is ever done to the security systems unless someone gets their hands on it from the inside. Either by leaving a backdoor or putting in a stick he was given or found, to enjoy its contents.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).