Microsoft has announced, how a Chinese espionage group leveraged a flaw discovered in crash dump from 2021, to hack emails belonging to the US government.
In a post-mortem publication, the organization detailing multiple errors on the crash dump, and how it exposed a key belonging to the account of one of its engineers.
It is said that the crash dump, can be dated as far back as April 2021, which contained a Microsoft Account (MSA), consumer key that was used in forging tokens to break into OWA (Outlook on the Web), and Outlook.com accounts.
In a publication, the company stated:
“Our Investigation found that a consumer signing system crash in April 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump.”
Although Microsoft stated the security issue has been addressed. The organization also acknowledged its mistake in this incidence to be attributed to the failure of the internal system in detecting sensitive information leaking from crash dumps.
The organization (Microsoft) said that the 2021 crash dump, and its signing key were moved from the isolated production network, into its debugging environment that is on the internet, and connected to the corporate network.
This is known to be a consistent behaviour with Microsoft’s Standard in their debugging process; the error where its credentials scanning method did not detect the presence of the key, is another rising issue.
“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet corporate network.”
The issues resulted into the incidence that occurred in April 2021, they said:
“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key.”
However, the company has stated, that the logs with specific evidence of the exfiltration done by this actor is not in their possession, due to its log retention policies.
Microsoft opinion on the occurrence, stated:
“But this was the most probable mechanism by which the actor acquired the key.”
The organization taking responsibility for its inept attitude of the M365 licensing structure which cost extra fees, for their customers accessing forensics data during active malware investigations.
Microsoft announced, that it would be expanding the logging defaults for lower-tier M365 customers, and increase the expiration of retaining threat hunting data.
This compromise resulted into the theft of email addresses belonging to approximately 25-organizations, and has conjured the wrath of the U.S senator by the name Ron Wyden, on the U.S government to hold Microsoft accountable for its neglect in cybersecurity practises, leading to the Chinese threat actor espionage campaign a success; targeting the U.S government.
Please do let us know in the comment section what are your thoughts about this.