Dive Brief:

• A consumer signing key that caused security headaches for Microsoft earlier this year was exposed in an April 2021 crash dump, the company said Wednesday. A China-based threat group behind attacks later used the key to compromise more than two dozen customers, including U.S. State Department emails earlier this year. 
• Microsoft disclosed the crash dump, which redacts sensitive information, as part of an internal investigation into how the consumer signing key was left exposed. The threat group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer following the crash dump,
• The threat group stole sensitive emails from the State Department and reportedly U.S. Commerce Secretary Gina Raimondo.

Dive Insight:

The findings of the investigation are certain to raise questions about the security of Microsoft’s production environment, and further inflame concerns about the inherent security of the company’s products. 

Microsoft came under fierce criticism following the attacks and was pushed to change its policies about charging customers a premium for security log access, which is how government officials discovered the hacks and notified the company.

Microsoft said it normally maintains a highly restricted and isolated production environment, with multiple levels of controls, including background checks, dedicated accounts, secure access workstations and multifactor authentication using hardware token devices. 

Its corporate environment, while using secure devices and authentication techniques, allows for email, conferencing, web research and the use of other collaboration tools, Microsoft said. These important tools make users vulnerable to spear phishing, malware used to steal tokens and other vectors of account compromise. 

Microsoft said the crash dump should not have included the consumer signing key, but a “race condition” allowed the key to be present in the dump and company systems did not detect the problem. The crash dump was later moved from the isolated production environment to a debugging environment on the company’s internet-connected network. 

The company has taken several steps to resolve the larger detection and response issues related to the signing key. 

Tom McNamara, founder and CEO at Hopr, said the threat group now has the ability to find additional targets, and the timeline of the original breach raises larger questions.

“How many other crash dump files were found by the threat group?” McNamara asks. “There was probably more than one in the last two years and it may go even further back.”

Amitai Cohen, attack vector intel lead at Wiz, also wonders whether the threat actor could have additional undetected compromises. 

“For instance, can we be certain that the blast radius doesn’t extend beyond Exchange and Outlook to customer-owned applications as well?” Cohen asks.

Jeff Pollard, VP and principal analyst at Forrester, said the concern Microsoft and its customers would have is whether any additional data was accessed or what if anything was accessed from the engineer. Pollard, however, praised Microsoft’s transparency on the incident.

“Few organizations in the world would detect this kind of activity in real time and find the issues that kept the keys in the crash dumps and the other control failures that happened here,” Pollard said via email.