Microsoft: Flaw In Windows Crash Process Enabled Cloud Email Breach
The company shared new findings about the issues that led to the compromise of email accounts belonging to multiple U.S. government agencies.
Microsoft said Wednesday that it’s identified additional issues that enabled a threat actor to compromise cloud email accounts used by multiple U.S. government agencies.
In a blog post, the tech giant disclosed that a flaw caused an Azure Active Directory key used in the compromise to be improperly captured, and stored in a file, following a Windows system crash in 2021. Another flaw led to the presence of the key not being detected, Microsoft said.
Additionally, the threat actor behind the breach was only able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer, according to the company.
[Related: Microsoft Cloud Breach: 5 Key Findings From Wiz]
Previously, Microsoft disclosed that a stolen Azure Active Directory key was misused to forge authentication tokens and gain access to emails from an estimated 25 organizations. However, Microsoft had said in mid-July that it did not yet know how an attacker was able to acquire the key in the first place.
In the post Wednesday, Microsoft said the likely cause was that a Windows system crash in April 2021 “resulted in a snapshot of the crashed process” — also known as a “crash dump” — that contained the Azure Active Directory key.
“The crash dumps, which redact sensitive information, should not include the signing key,” Microsoft said. However, an issue known as a “race condition” caused the key to be included in the crash dump file, according to the company.
Meanwhile, as a result of a separate issue, “the key material’s presence in the crash dump was not detected by our systems,” Microsoft said. Normally, the company said it would’ve detected this using credential scanning.
Both of the issues — which led to the inclusion of the signing key in the crash data file and the failure to detect the key — have now been “corrected,” Microsoft said.
Subsequently, the threat actor “was able to successfully compromise a Microsoft engineer’s corporate account,” the company said in the post. “This account had access to the debugging environment containing the crash dump which incorrectly contained the key.”
As a result of log retention policies, “we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” Microsoft said.
Microsoft has attributed the breach to a hacking group working on behalf of the Chinese government, which the company tracks under the identifier “Storm-0558.”
The breach — which is believed to have begun on May 15 — was discovered after a U.S. federal civilian agency “identified suspicious activity in their Microsoft 365 (M365) cloud environment,” and reported it to Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a post.
According to CISA, the data stolen in the attack was not classified, and the number of impacted accounts was minimal. “Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in its post.
Researchers at cloud security firm Wiz, however, have suggested that Microsoft customers will want to take another look at the potential impacts from the breach.
“We believe this event will have long-lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud,” wrote Shir Tamari, head of research at Wiz, in a July 21 post about the Wiz research team’s findings.
In recent years, Wiz has discovered numerous security issues impacting Microsoft cloud platforms including Azure.
In a previous statement provided to CRN, responding to the Wiz findings, Microsoft said that it has “not observed those outcomes in the wild.”