Microsoft has come under fire from the U.S. Cyber Safety Review Board (CSRB) for a string of security failings that allowed a nation-state group named Storm-0558, based in China, to compromise almost two dozen businesses in Europe and the United States last year.
According to the results, which were made public by the Department of Homeland Security (DHS) on Tuesday, the breach was avoidable and only succeeded as a result of a “cascade of Microsoft’s avoidable errors.”
“It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the Department of Homeland Security said in a statement.
The IT giant was also chastised by the CSRB for not identifying the breach on its own and for waiting for a customer to notify them of it. It also criticised Microsoft for not making the creation of an automatic key rotation solution a top priority and for not redesigning its legacy infrastructure to better suit the demands of the contemporary threat environment.
Microsoft originally disclosed the incident in July 2023, revealing that Storm-0558 had acquired unauthorised access to over 500 linked individual consumer accounts and 22 organisations.
Microsoft later claimed that Storm-0558 was able to counterfeit Azure Active Directory (Azure AD) tokens using a Microsoft account (MSA) consumer signing key due to a validation issue in its source code, which allowed the attacker to access the mailboxes.
The company revealed in September 2023 that Storm-0558 obtained the consumer signing key necessary to forge the tokens by breaking into the corporate account of an engineer. This engineer had access to a debugging environment that hosted a crash dump of the company’s consumer signing system, which also happened to contain the signing key.
Since then, Microsoft has stated in an update from March 2024 that it was mistaken and that it is still unable to find a “crash dump containing the impacted key material.” It added that it was still looking into the hack.
“Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account,” it stated.
“We need to adopt a new culture of engineering security in our own networks,” a Microsoft representative reportedly told The Washington Post in light of recent incidents.
The effort, which started in May 2023, is thought to have exfiltrated up to 60,000 unclassified emails from Outlook accounts. China has refuted claims that it orchestrated the assault.
Earlier in February, Redmond extended Microsoft Purview Audit’s free logging features to all federal agencies in the United States, regardless of licence tier, to assist them in identifying, thwarting, and averting complex cyberattacks.
“This brazen intrusion has been linked to the 2009 Operation Aurora and 2011 RSA SecureID compromises by the threat actor that is behind it, who has been tracked by industry for over 20 years,” stated Dmitri Alperovitch, acting deputy chair of the CSRB.
“This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government.”
It is advised of cloud service providers to – in order to protect themselves from risks posed by state-sponsored actors.
- Put baseline procedures and contemporary control systems into effect.
- Establish a minimal requirement for cloud service default audit logging.
- Embrace new guidelines for digital identification to safeguard cloud services.
- Adopt disclosure procedures for vulnerabilities and incidents to increase openness.
- To encourage information sharing, create victim notification and support systems that are more effective.
“The United States government should update the Federal Risk Authorization Management Programme and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorised Cloud Service Offerings following especially high-impact situations,” the CSRB stated.