Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online
CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software
A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – which saw accounts used by senior US officials compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable save for Microsoft's lax infosec culture and sub-par cloud security precautions.
The review, conducted by the US government's Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board (CSRB), calls for "rapid cultural change" at Microsoft. Among the Board's recommendations:
- Microsoft's customers would benefit from its CEO and board of directors directly focusing on the security culture, and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the business and its full suite of products;
- The CEO should hold senior officers accountable for delivery against this plan;
- Microsoft leadership should consider directing internal teams to deprioritize feature developments across the cloud infrastructure and product suite until substantial security improvements have been made to preclude competition for resources;
- Security risks should be fully and appropriately assessed and addressed before new features are deployed.
That strong language was offered in light of the attack, which it attributed to a "cascade of Microsoft's avoidable errors."
The CSRB report [PDF] pins the attack on key rotation practices used to secure the Microsoft Services Account (MSA) – the identity management system underpinning the software giant's cloudy services for consumers.
MSA was designed in the early 2000s, without a process for automated signing key rotation or deactivation. Microsoft therefore managed keys manually – but stopped doing so in 2021 after the practice caused a major cloud outage.
Between 2021 and the breach in 2023, Microsoft did not employ any tool that would alert it to keys that should be retired.
So when Storm-0558 obtained a key created in 2016, which should have been retired, it gained the ability to access the version of Outlook Web Access offered to consumers.
Things escalated from there because a flaw in Microsoft's systems meant that the 2016 MSA key could create tokens that allowed access to enterprise email accounts – not just the consumer services MSA was created to manage.
Storm-0558 was therefore able to create tokens that allowed it to access Microsoft clients – such as the US State Department. The gang did just that and stole around 60,000 emails from the Department, plus a list of all its employees' email addresses. The stolen mails included details of diplomatic discussions, while the trove of addresses has obvious potential for future phishing forays.
Other cloud providers, the report notes, are better at key rotation and implement other security controls Microsoft does not.
The report therefore criticizes Microsoft for not being able to detect the compromise of its keys. Slack security – such as allowing a compromised laptop that came into Microsoft's possession after an acquisition to connect to the software giant's network – is also noted as a failing.
Slow to 'fess up
Microsoft also came in for criticism for its slow efforts to correct the public record.
Redmond has claimed the attack was possible because a golden cryptographic key was present in a crash dump that made its way into an internet-connected debugging environment.
But as the report explains, Microsoft has never proven that theory, nor any of the 46 hypotheses it investigated – including "the adversary possessing a theoretical quantum computing capability to break public-key cryptography or an insider who stole the key during its creation."
- Feds finally decide to do something about years-old SS7 spy holes in phone networks
- US critical infrastructure cyberattack reporting rules inch closer to reality
- Under CISA
pressurecollab, Microsoft makes cloud security logs available for free - Stolen Microsoft key may have opened up a lot more than US govt email inboxes
Indeed, the report concludes that Microsoft still doesn't know how Storm-0558 got the key – but advanced the "the key was in a crash dump" theory in September 2023 and kept the post that detailed it online for months after it knew the hypothesis may not be true.
Microsoft finally amended the post on March 12, 2024, when it admitted it has not found a crash dump that contained the key.
Failing customers
Another theme of the report is that Microsoft "did not prioritize security risk management at a level commensurate with the threat and with Microsoft technology's vital importance to more than one billion of its customers worldwide."
Investigators considered Microsoft's cloudy peers, and found they are more cautious than the Window giant.
"Microsoft had not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape," the authors found.
That state of affairs, the report notes, suggests Microsoft has forgotten the lessons imparted by its founding CEO Bill Gates in his 2002 companywide memo on Trustworthy Computing. In that memo he told developers "When we face a choice between adding features and resolving security issues, we need to choose security. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first."
The CSRB report suggests Microsoft doesn't do that any more – at least not in its cloud.
It also finds that Microsoft's response to the incident – the "Secure Future Initiative" – needs oversight by its most senior execs.
As The Register noted when the Initiative was announced, it led with the magical powers of AI to improve security – even as Microsoft's human researchers failed to determine the cause of an incident that may have seen state secrets of its home nation leak. ®