Microsoft Analysis Report on Key Forge and Compromise
Share this:
Microsoft has revealed that alleged Chinese hackers who breached email accounts belonging to U.S. government agencies, including the State Department, earlier this year did so by compromising the account of a Microsoft engineer.
MSRC in the report revealed had a deep dive into what the hacking entailed. The hacking group, tracked as Storm-0558 by Microsoft, acquired a Microsoft account consumer key to forge tokens to access Outlook on the web and Outlook.com.
Microsoft’s investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process. The crash dumps are not meant to include the signing key, but in this case, a race condition allowed the key to be present in the crash dump.
The crash dump, which contained the key, was moved from an isolated production network into Microsoft’s debugging environment on its internet-connected corporate network. Although placing the dump there is part of Microsoft’s standard debugging process, the key was also exposed in the process and subsequently stolen by Storm-0558.
The threat actors with the exposed key successfully compromised a Microsoft engineer’s corporate account. The account access then led them to be able to gain access to emails from the State Department, among other arms of the U.S. government.
Exactly who and how many U.S. government agencies and departments had their emails compromised has never been fully revealed, but alongside the State Department, the Commerce Department has also been mentioned as having been compromised as well.
As part of its post-incident review process, Microsoft said that it has been continuously hardening systems as part of its defense-in-depth strategy.
Microsoft has identified and resolved the race condition that led to the signing key being present in crash dumps. Enhanced prevention, detection, and response for key material is now in place for crash dumps.
Microsoft has implemented enhanced credential scanning to do a better job of detecting the presence of signing keys in the debugging environment and released enhanced libraries to automate key scope validation in authentication libraries.
