iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A crash dump gone wrong was at the heart of Chinese threat actor Storm-0558’s recent espionage campaign.
Back in July, the US Cybersecurity and Infrastructure Security Agency and Microsoft were alerted to suspicious activity by a member of a US federal agency.
The initial activity was spotted in June and involved the threat actor attempting to access Outlook accounts using forged authentication tokens. The threat actor accessed accounts from at least 15 May and had already targeted 25 organisations in the US and Western Europe.
At the time, it was a bit of a mystery as to how Storm-0558 had gotten hold of a Microsoft account (MSA) consumer key, but Microsoft has finally lifted the lid on how it happened.
In theory, such keys are kept locked down inside Microsoft’s production environment, which is a secure environment complete with staff background checks, hardware-based multifactor authentication, secure workstations and more. The environment doesn’t even have email or video conferencing access.
However, in April 2021, a “consumer signing system crash” resulted in a crash dump being created that, despite all of Microsoft’s security, included a signing key. This would not normally happen, but a race condition – wherein two processes try to access the same system resource at the same time – meant the key was included by accident.
The presence of the key was not detected – no doubt because no one expected it to even be there – and the crash dump was then moved from Microsoft’s secure production environment to the company’s less secure corporate environment for debugging. Here, email and other external-facing apps are enabled.
Sometime after April 2021, it appears that Storm-0558 was able to compromise an engineer’s account and gain access to the corporate-side debugging environment, where they found the crash dump and the all-important consumer key.
Microsoft’s only guessing at the latter, as it doesn’t keep logs of such activity, but it remains the company’s best guess.
How the threat actor was then able to use this key to access enterprise email is just as fascinating a chain of events dating back to September 2018.
“To meet growing customer demand to support applications which work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018,” Microsoft wrote in a blog post. “As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation – which key to use for enterprise accounts, and which to use for consumer accounts.”
One of Microsoft’s own “helper APIs” at the time was designed to validate signatures cryptographically, but the validation was not set to be automatic. Developers, however, assumed the process to be automatic, leading to a situation where a mail system would “accept a request for enterprise email using a security token signed with the consumer key”.
All of the issues found in the investigation have been corrected, according to Microsoft’s own reporting.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
