Microsoft says it’s uncovered the mystery to how suspected Chinese hackers acquired a digital signing key to pull off July’s Outlook breach that ensnared several US government agencies. According to Microsoft, the key was accidentally leaked when the company computer holding it crashed in April 2021. During the error, the machine generated a crash dump report, which failed to redact the key from the file due to a software bug. Microsoft added that company computers that hold such signing keys are “highly isolated,” and have been stripped of various internet services, such as email and video conferencing. However, the crash dump report ended up opening a hole in the security. The unredacted file was automatically passed to a Microsoft computer devoted to debugging, which also happened to be connected to the internet. This paved a way for the Chinese hackers to loot the digital key when they compromised a Microsoft engineer’s corporate account, although it remains unclear how this occurred. “This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company said in Wednesday’s report. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”Stealing the key then allowed the suspected Chinese hackers to forge the authentication tokens to access customer emails on Microsoft’s Outlook service. That said, the signing key was originally designed for consumer Microsoft accounts—not the enterprise Outlook accounts that the hackers targeted. The problem is that Microsoft neglected to update a software library to automatically validate key signing signatures between consumer and enterprise accounts. “Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation,” Microsoft said. “Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key.” Microsoft issued the report as the company has come under criticism for failing to stop the Outlook breach. In July, Sen. Ron Wyden urged the Justice Department and the FTC to probe Microsoft, claiming the company suffered from “negligent cybersecurity practices” that puts its customers at risk. For example, Wyden faulted Microsoft’s internal and external audits for failing to catch the key signing vulnerability. Meanwhile, other cybersecurity experts have also weighed in and accused Microsoft of trying to deflect blame for the company's own past mistakes. According to Microsoft’s report, the company has since cleared up the bugs and processes that allowed the Chinese hackers to orchestrate the breach. This has included bolstering the company’s detection systems to prevent sensitive material from being erroneously added to crash dump files. But time will tell if the company's report further fuels criticism of Microsoft's approach to security.
Wir nutzen Cookies auf unserer Website. Einige von ihnen sind essenziell für den Betrieb der Seite, während andere uns helfen, diese Website und die Nutzererfahrung zu verbessern (Tracking Cookies). Sie können selbst entscheiden, ob Sie die Cookies zulassen möchten. Bitte beachten Sie, dass bei einer Ablehnung womöglich nicht mehr alle Funktionalitäten der Seite zur Verfügung stehen.
Microsoft says it’s uncovered the mystery to how suspected Chinese hackers acquired a digital signing key to pull off July’s Outlook breach that ensnared several US government agencies. According to Microsoft, the key was accidentally leaked when the company computer holding it crashed in April 2021. During the error, the machine generated a crash dump report, which failed to redact the key from the file due to a software bug. Microsoft added that company computers that hold such signing keys are “highly isolated,” and have been stripped of various internet services, such as email and video conferencing. However, the crash dump report ended up opening a hole in the security. The unredacted file was automatically passed to a Microsoft computer devoted to debugging, which also happened to be connected to the internet. This paved a way for the Chinese hackers to loot the digital key when they compromised a Microsoft engineer’s corporate account, although it remains unclear how this occurred. “This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company said in Wednesday’s report. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”Stealing the key then allowed the suspected Chinese hackers to forge the authentication tokens to access customer emails on Microsoft’s Outlook service. That said, the signing key was originally designed for consumer Microsoft accounts—not the enterprise Outlook accounts that the hackers targeted. The problem is that Microsoft neglected to update a software library to automatically validate key signing signatures between consumer and enterprise accounts. “Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation,” Microsoft said. “Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key.” Microsoft issued the report as the company has come under criticism for failing to stop the Outlook breach. In July, Sen. Ron Wyden urged the Justice Department and the FTC to probe Microsoft, claiming the company suffered from “negligent cybersecurity practices” that puts its customers at risk. For example, Wyden faulted Microsoft’s internal and external audits for failing to catch the key signing vulnerability. Meanwhile, other cybersecurity experts have also weighed in and accused Microsoft of trying to deflect blame for the company's own past mistakes. According to Microsoft’s report, the company has since cleared up the bugs and processes that allowed the Chinese hackers to orchestrate the breach. This has included bolstering the company’s detection systems to prevent sensitive material from being erroneously added to crash dump files. But time will tell if the company's report further fuels criticism of Microsoft's approach to security.