Bugs and coincidences appear to have allowed the Chinese hacking group Storm-0558 to steal an MSA private key from Microsoft and gain access to the accounts of various organizations as well as US government agencies.
The full extent of the breach is currently unknown, as the MSA key allowed the hacking team to access almost any cloud account at Microsoft.
Microsoft has published the results of its research on the specific topic on the MSRC blog.
But the company's analysis looks like a poorly written script, as it presents a chain of events that allowed the hacking team to obtain the key and use it to access online accounts.
Let's see what happened according to Microsoft.
A consumer signing system stopped working in April 2021. This resulted in the creation of a crash dump (a file that records why the service stopped working). These crash dumps should not include sensitive information such as signing keys, but in this particular case, the signing key was present in the crash dump.
Τα συστήματα ασφαλείας δεν εντόπισαν την παρουσία του κλειδιού. Όλα αυτά συνέβησαν σε ένα “ιδιαίτερα απομονωμένο και περιορισμένο περιβάλλον παραγωγής”, σύμφωνα με τη Microsoft. Τα στοιχεία ελέγχου των εργαζομένων περιλαμβάνουν ελέγχους ιστορικού, background checks, ελέγχους σε dedicated accounts, secure access workstations, αλλά και ελέγχους σε hardware token device-based Multi-factor authentication. Το ίδιο το περιβάλλον δεν επιτρέπει τη χρήση email, διασκέψεων, διαδικτυακής researchand other collaboration tools.
If the crash dump remained in such an isolated environment, hackers would not be able to obtain it. But since there was no indication of errors and the scans did not detect the presence of the key, it was moved from the isolated environment to an "open" debugging environment. The latter is connected to the Internet and the Microsoft corporate network.
Some time after April 2021 and the transfer of the crash dump to the debug environment, the hacking group Storm-0558 managed to compromise the corporate account of a Microsoft engineer. This account had access to the debug environment that contained the key in question.
Microsoft says it can't use log files to verify its case due to "log retention policies" but believes the hacking team managed to download this dump and then discovered the presence of the key.
This allowed hackers to gain access to Enterprise emails. Microsoft also says in its post that several libraries used to validate signatures were not updated, which led to the mail system accepting a request for Enterprise email using a consumer key token.
Microsoft claims to have fixed all the issues, and in particular, fixed key detection in crash dumps, improved credential scanning in debugging environments, and released “enhanced libraries”.
Sleep tight….
In banks, employees learn that: no bank fraud is ever done with just one employee. At least two or more are required.
IT professionals are taught that: no damage is ever done to the security systems unless someone gets their hands on it from the inside. Either by leaving a backdoor or putting in a stick he was given or found, to enjoy its contents.