China-BackedHackers Steal Microsoft’s Signing Key because of the Comedy of Errors
How did a Chinese hacker get a password from a sign-up system? Microsoft admits it’s hardened, but it does not admit it
Microsoft says it has corrected all of the issues above, including the error that sent the signing key to the crash dump in the first place. In its post, the company adds that it’s continuously hardening systems. Microsoft has increasingly come under fire for its security practices, which both Senator Ron Wyden (D-OR) and Tenable CEO Amit Yoran have called “negligent,” with Yoran accusing Microsoft of being too slow to react to its security flaws.
A group from China stole a password from the company’s systems in June. Multiple US government agencies as well as 25 organizations were able to access cloud-based Outlook email systems with this key. At the time of the disclosure, however, Microsoft did not explain how the hackers were able to compromise such a sensitive and highly guarded key, or how they were able to use the key to move between consumer- and enterprise-tier systems. A new postmortem published by the company shows that a series of slipups and oversights allowed the attack.
Another unanswered question about the incident had been how the attackers used a cryptographic key from the crash log of a consumer signing system to infiltrate the enterprise email accounts of organizations like government agencies. Microsoft said on Wednesday that this was possible because of a flaw related to an application programming interface that the company had provided to help customer systems cryptographically validate signatures. Many systems can be tricked into accepting either consumer keys or enterprise keys, since the api wasn’t updated to include libraries that would verify whether a system should accept consumer or enterprise keys.
The company added that support, but it failed to make the proper updates to the systems used to authenticate keys — that is, determine whether they’re consumer or enterprise keys. Mail system engineers, assuming the updates had been made, built in no additional authentication, leaving the mail system blind to what sort of key was used.
In short, had those libraries been updated properly, even given all the other failure points, Storm-0558 hackers might not have been able to access the enterprise email accounts used by the corporations they targeted.
The key ended up in the possession of Storm-0558 after a Rube Goldberg machine-style series of events put it in the wrong place. The company writes that when the system made a debugging snapshot of a process that had crashed, it didn’t strip, as it should have, the so-called “crash dump” of all sensitive information, leaving the key in.
The Microsoft investigation summary shows that Storm was able to gain access to corporate and government emails with the help of a Microsoft consumer account key.
What the best hacks could have in common: Hackers vs. Network administrators: How many paper cuts did they need to make?
Jake Williams, a former US National Security Agency hacker who is on the Faculty of the Institute for Applied Network Security, says that all the best hacks are deaths by 1,000 paper cuts.