The U.S. Cybersecurity Review Board (CSRB) criticized Microsoft for a series of security vulnerabilities that led to a data breach last year by a Chinese nation-state group called Storm-0558 against nearly 20 companies in Europe and the United States.
Findings released by the U.S. Department of Homeland Security (DHS) on Tuesday showed that the intrusion was preventable and was successful due to “a series of avoidable mistakes by Microsoft.”
“It identifies a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that does not value enterprise security investments and rigorous risk management, which is inconsistent with the company’s central position in the technology ecosystem and its customer There is an inconsistent level of trust in companies to protect their data and operations,” the Department of Homeland Security said in a statement.
The CSRB also lambasted the tech giant for failing to detect breaches on its own, instead relying on customers to proactively report breaches. It further accuses Microsoft of not prioritizing the development of an automated key rotation solution and re-architecting its legacy infrastructure to meet the needs of the current threat landscape.
The incident first came to light in July 2023, when Microsoft revealed that Storm-0558 gained unauthorized access to 22 organizations and more than 500 related individual consumer accounts.
Microsoft later said that a validation error in its source code made it possible for Storm-0558 to use Microsoft Account (MSA) consumer signing keys to forge Azure Active Directory (Azure AD) tokens, allowing attackers to penetrate mailboxes.
In September 2023, the company revealed that Storm-0558 obtained consumer signing keys to counterfeit tokens by compromising an engineer’s company account that had access to a debugging environment hosting crash dumps of its consumer signing system , the system also inadvertently contains signing keys.
Microsoft has since admitted in a March 2024 update that it was inaccurate, and that it still couldn’t find “crash dumps containing affected critical material.” It also said the investigation into the hack was ongoing.
“Our primary hypothesis remains that an operational error caused critical material to leave the secure token signing environment, which was subsequently accessed in a debug environment via a compromised engineering account,” it states.
“Recent events demonstrate the need for a new engineering security culture within our own networks,” a Microsoft spokesperson told the Washington Post.
It is believed that up to 60,000 non-confidential emails from Outlook accounts were compromised in the attack that began in May 2023. China has denied accusations that it was behind the attack.
In early February, Redmond extended free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit, regardless of license level, to help them detect, respond to and prevent sophisticated cyberattacks.
“The industry has been tracking the threat actors responsible for this blatant intrusion for more than two decades and is closely related to Operation Aurora in 2009 and Operation Aurora in 2011,” said CSRB Acting Vice Chairman Dmitri Alperovitch. Related to the RSA SecureID breach.”
“This hacking group affiliated with the People’s Republic of China has the capability and intent to compromise identity systems to access sensitive data, including the emails of individuals of interest to the Chinese government.”
To protect against threats from state-sponsored actors, cloud service providers are advised to:
- Implement modern controls and baseline practices
- Adopt minimum standards for scheduled audit logging in cloud services
- Incorporate emerging digital identity standards to protect cloud services
- Adopt incident and vulnerability disclosure practices to maximize transparency
- Develop more effective victim notification and support mechanisms to facilitate information sharing
“The U.S. government should update the federal risk authorization management program and support framework and establish a process for conducting discretionary special reviews of the program’s authorized cloud service offerings in particularly high-impact situations,” the CSRB said.
