Microsoft offers an explanation for the hack of its cloud
Bugs and coincidences seem to have allowed Chinese-based hacking group Storm-0558 to steal a private MSA key from Microsoft and gain access to the accounts of organizations, including American government agencies.
The full extent of the hack is still unclear, as the MSA key allowed the hacker group access to virtually any cloud account at Microsoft.
Microsoft published the results of its investigation into the matter on its MSRC blog. The analysis reads like a badly written screenplay, as it suggests that a chain of events allowed the hacking group to obtain the key and use it to access online accounts.
Here is what happened according to Microsoft. A consumer signing system crashed in April 2021, which resulted in the creation of a crash dump. These crash dumps should not include sensitive information, including signature keys, but in this particular case, caused by a race condition, the signing key was present in the crash dump.
Security systems did not detect the presence of the key in the dump. All of this happened in a "highly isolated and restricted production environment", according to Microsoft. Employee controls include background checks, dedicated accounts, secure access workstations, and hardware token device-based multi-factor authentication. The environment itself does not allow the use of email, conferencing, web research and other collaboration tools.
If the crash dump would have stayed in the isolated environment, hackers would not have been able to obtain it. Since the crash dump was not flagged, as scans did not detect the presence of the signing key, it was moved from the isolated environment to the debugging environment. The latter is connected to the Internet and part of Microsoft's corporate network.
Some time after April 2021 and the moving of the crash dump to the debugging environment, hacking group Storm-0558 managed to compromise the corporate account of a Microsoft engineer. This account had access to the debugging environment that contained the crash dump with the signing key.
Microsoft notes that it can't use logs to verify its hypothesis due to "log retention policies". Microsoft believes that the hacking group managed to download this specific dump and that it discovered the presence of the signing key in the dump.
The last bug in the chain allowed the hackers to use the consumer key to access Enterprise email. Microsoft states in the explanation that several libraries used to validate signatures were not updated, which led to the mail system accepting a request for Enterprise email using a consumer key token.
Microsoft claims that it has corrected the issues that led to the chain of events. In particular, it fixed the race condition, the detection of keys material in crash dumps, improved credential scanning in debugging environments, and released "enhanced libraries".
The chain of events that led to the stealing of the signing key is the most likely explanation, according to Microsoft. Günter Born points out that the sheer number of coincidences and bugs is puzzling. How did the Chinese hackers find the signing key in the dumps, when even Microsoft's own systems could not find it?
It is almost certain that this is not the last time we have heard from the hack.
Now You: what is your theory?