The summer vacations are over, and things are getting serious again. Especially since a very serious security incident involving data theft took place from May 15 onwards, but was only revealed by Microsoft on July 11, just as the summer period was getting underway.
Emails (and therefore attachments) hosted on Exchange and Outlook Web Access on Microsoft SaaS from almost 25 organizations, including U.S. government entities, were hacked, probably by China in an espionage action. This includes emails from the State Department (Ministry) of Foreign Affairs, Secretary of Commerce Gina Raimondo and US Ambassador to China Nicholas Burns. European organizations were also reportedly affected.
But the full extent of the attack has yet to be revealed, and may never be, as investigations by the FBI and security agencies continue.
The seriousness of the event dubbed Storm-0558 (surely the most serious act of cyber espionage since Solarwind in 2020, when Microsoft was also implicated for negligence), and the fact that it was detected by the customer and not by Microsoft, have generated numerous reactions, but two are much more noteworthy: Senator Ron Wyden of Oregon and Amit Yoran - CEO of Tenable, one of the world's leading security auditing companies (and the one we use at CEO-Vision for GoFAST's automatic security audits).
Senator Ron Wyden's reaction took the form of an official letter to US Attorney General Merrick Garland, the Director of CISA and the Chairman of the FTC. The letter requests:
- An investigation of Microsoft by the Department of Justice to determine whether Microsoft's negligent practices violated federal law.
- An investigation of Microsoft by the Federal Trade Commission (FTC) to verify that Microsoft has not violated federal law, in particular "unfair and deceptive trade practices", and whether the 20-year surveillance period for security negligence following the Microsoft Passport incident in 2002 should be re-applied.
- An audit of the incident by CISA (Cybersecurity and Infrastructure Security Agency).
This is in addition to ongoing investigations by the FBI, the Department of Homeland Security's Cyber Safety Review Board (CSRB) and other security agencies.
Why such comprehensive action by Senator Wyden, and the exceptional nature of the incident itself? Here's a summary of the reasons:
- Firstly, because it was the customer himself who discovered the data leak (and more than a month after the leaks began) on Microsoft SaaS applications, and because ironically Brad Smith (President at Microsoft) had stated in a 2021 hearing before the US Senate concerning the Solarwind attack that "those who want the best security should migrate to the Cloud" (Microsoft of course).
- Secondly, the stolen Microsoft encryption key used to create the authentication token had expired: under no circumstances should this have been possible.
- The stolen key was also a "Consumer" key, which could not have been used (in addition to its expiry date) to grant "Enterprise" rights, let alone "Government" rights.
- Then, following the recommendations of Microsoft themselves and the NSA (and many other security organizations such as NIST), numerous standards such as PCI-DSS, ISO 27001 or directives such as RGPD..., this type of key must be stored in an HSM ("Hardware Security Module"), which are reinforced physical devices reputed to be tamper-proof.
- Finally, the encryption key used to be valid for 5 years, whereas here too the recommendations are for much shorter periods. Even for website encryption, this period is now just one year.
Finally, IT security consultancy Wiz states in a detailed blog post that the attack could also have been used to attack services other than Outlook Web Access and Exchange Online, as well as SharePoint Online, Teams, OneDrive and other Microsoft services, some of which are "multi-tenant" (services shared between several customers).
For his part, the CEO of Tenable, whose company reported a critical flaw several months after it was reported, says: "Microsoft's lack of transparency applies to data leaks, irresponsible security practices and vulnerabilities, which expose all their customers while deliberately leaving them in the dark.
Finally, on our own scale, we had to block GoFAST-rated requests made by Microsoft products that continued to use protocols known to be insecure, and had been doing so for years (TLS 1.0 and 1.1).
Last but not least, the "Forbes" article explains that, in the wake of such an attack, the Boards of Directors of organizations, particularly listed companies, need to be better involved in and prepared for the major issues and controls involved in information system security.
We can add that there is a growing risk that, in the event of a leak of strategic data, increasingly senior levels in the organization (senior management or even the Board of Directors) will be considered co-responsible for the choices made (outsourcing, etc.), and not just the CIO and CISO.
This attack also raises the question of Microsoft's legal liability, as the security of Microsoft's Office 365 SaaS offering is its responsibility. In addition to the federal investigations requested, if private companies have been affected, legal action or even class actions are potentially possible in the future.
Finally, a few days ago Microsoft revealed how the key was stolen for this cyberespionage campaign. A "crash dump" containing the strategic key was mistakenly and undetected found on a debugging environment accessible from Microsoft's corporate network, a network accessed by the Chinese group by compromising the workstation of a Microsoft engineer with malware.
As we can see, despite Microsoft's promise of a more secure SaaS environment than Onpremise, there's still a long way to go before the promise can be kept, especially with the number of internal malfunctions revealed, and a bit problematic to explain when you're making 42% operating margin and 72 billion in net profit...
Other articles by the same author :
- Why is Red Hat's thunderclap in the opensource world not a thunderclap for our GoFAST CIO customers?
References :
https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_cisa_doj_ftc_re_2023_microsoft_breach.pdf
https://www.securityweek.com/microsoft-cloud-hack-exposed-more-than-exchange-outlook-emails/
https://techcrunch.com/2023/08/15/house-republican-emails-china-microsoft-cloud-hack/
https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/
https://www.theregister.com/2023/07/21/microsoft_key_skeleton/
https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/
https://www.linkedin.com/pulse/microsoftthe-truth-even-worse-than-you-think-amit-yoran/
https://techcrunch.com/2023/09/08/microsoft-hacker-china-government-storm-0558/
Other resources :
Forbes « Microsoft Security Breach: A Wake-Up Call For Board Of Directors » https://www.forbes.com/sites/betsyatkins/2023/07/18/microsoft-security-breach-a-wake-up-call-for-board-of-directors/?sh=26446131c959
NIST SP 800-57 Part 1 Rev. 5 : "Recommendation for Key Management" https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
NSA « Detecting Abuse of Authentication Mechanisms » https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF