Microsoft has detailed how China-based threat actors behind a cyberattack disclosed earlier this year accessed a Microsoft account consumer signing key, allowing them to forge tokens to access OWA and Outlook.com and ultimately compromise enterprise mail accounts.
While Microsoft in its initial disclosure of the attack in July said that attackers were able to access the private, inactive Microsoft consumer account key, questions remained about how they acquired that key. After further investigation, Microsoft revealed on Wednesday that the attackers likely obtained the key through a Microsoft engineer’s compromised business account, coupled with a series of errors in the Windows crash dump process.
“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”),” according to Microsoft’s post. “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected).”
Microsoft said that at the time, the crash dump file was then moved from the production network - which is meant to be highly isolated and restricted - into its debugging environment, which is on the internet-connected corporate network. Microsoft systems did not detect the key material in the crash dump, though it said this issue has since been corrected.
Finally, at some point after the key was exposed in this manner in April 2021, threat actors were able to obtain that key using a compromised Microsoft corporate account. That’s because the compromised account, belonging to a Microsoft engineer, had access to the debugging environment with the crash dump that contained the key.
“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” said Microsoft.
The campaign was first discovered in June after a federal agency identified suspicious activity in their Microsoft 365 cloud environment via the audit logs and reported it to Microsoft and CISA. Further investigation revealed that attackers had compromised two dozen organizations globally (including several U.S. government agencies).
In another layer to the attack, the key was only intended for consumer accounts, but was being used to access enterprise accounts. Microsoft account keys for consumers and Microsoft Entra ID keys for enterprises are issued from separate systems and should only be valid for their respective systems, according to the company. However, a now-corrected validation error in Microsoft’s code allowed the key to be trusted for signing Microsoft Entra ID tokens, according to Microsoft in its initial release. Microsoft on Wednesday further detailed how a common key metadata publishing endpoint that had been introduced in 2018 had failed to “clarify the requirements for key scope validation.”
“As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected),” said Microsoft. “The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation.”
The various errors outlined in its post come as Microsoft continues to face scrutiny around how it secures its platform. The Cyber Safety Review Board announced in August that it would assess the intrusion as part of “a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers.” Separately, Sen. Ron Wyden (D-Ore.) in July urged CISA, the FTC and DoJ to “hold Microsoft responsible for its negligence.”
“Following the Solarwinds hack, Microsoft told the Senate Intelligence Committee that hardware security modules were the best way to protect encryption keys from theft,” said Wyden in a emailed statement on Wednesday. “The post-mortem published today fails to explain why Microsoft did not follow its own advice when it came to protecting consumer encryption keys. Microsoft deserves credit for providing additional details about the hack, however it has an obligation to explain why it deviated from best practices and its own advice when it came to protecting highly sensitive encryption keys.”