Microsoft’s recent security breaches
July 2, 2024Last month, Microsoft found itself at the centre of a significant security breach involving their security keys. The Department of Homeland Security’s Cybersecurity Response and Standards Board (CRSB) has released a comprehensive report detailing the incident, its implications, and what it means for consumers utilising Microsoft security measures.
This report paints a damning picture of Microsoft's handling of the breach, raising questions about their communication, ongoing security issues, and their ability to prevent future incidents.
We've created a brief overview of the breach here
The Incident: A Brief Overview
In May 2024, Microsoft disclosed a serious vulnerability in their Azure Active Directory (Azure AD) and Microsoft account (MSA) security keys. These keys, which are part of the Public Key Infrastructure (PKI) used to secure online accounts, were compromised by a sophisticated threat actor. The CRSB's report sheds light on the nature of the breach, revealing that it was part of a larger campaign orchestrated by a cyber-espionage group known as Storm-0558.
The hackers accessed the email accounts using forged authentication tokens signed with a Microsoft Services Account (MSA) consumer key the company created in 2016 and which should have been revoked in March 2021.
When the engineer’s device was compromised, they were working for Affirmed Networks, which Microsoft acquired in 2020 to consolidate its cloud platform with “fully virtualized, cloud-native mobile network solutions” for operators that wanted to deploy and maintain 5G networks more easily and with lower costs.
After acquiring Affirmed Networks and without running a cybersecurity audit, Microsoft provided corporate credentials to the engineer whose device Storm-0558 had already compromised.
Who Are Storm-0558?
Storm-0558 is a well-known threat actor group believed to operate out of China. This group has been associated with various cyber-espionage activities, primarily targeting government agencies, non-governmental organisations (NGOs), and other high-profile entities. Their modus operandi involves leveraging zero-day vulnerabilities and sophisticated phishing campaigns to gain unauthorised access to sensitive data.
What Exactly Happened?
The CRSB report details a multi-stage attack carried out by Storm-0558, which exploited a flaw in the way Microsoft handled its security keys. Here's a step-by-step breakdown of the attack:
- Initial Breach: The attackers initially compromised a Microsoft engineer's corporate account through a phishing attack. This account had access to the development environment where security keys were generated and stored.
- Escalation of Privileges: Using the compromised credentials the attackers were able to escalate their privileges within the development environment. They exploited an existing vulnerability in the system to gain administrative access.
- Key Extraction: With administrative access, the group extracted the private keys used in the Azure AD and MSA security infrastructure. These keys are crucial for the authentication process, allowing the attackers to create legitimate-looking authentication tokens.
- Impersonation and Data Access: Armed with these keys, the attackers could forge authentication tokens and impersonate legitimate users. This allowed them to access a wide range of services and data, including emails, files, and other sensitive information stored in Azure and MSA accounts on Exchange Online and other Microsoft apps.
- Covering their Tracks: The group employed various tactics to cover their tracks, including the use of obfuscation techniques and deleting log files. This made it challenging for Microsoft to detect and respond to the breach promptly.
The Impact of the Breach
The CRSB report highlights several significant impacts of the breach:
- Data Compromise: The attackers were able to access sensitive data belonging to numerous organisations, including government agencies and private companies. This data included emails, documents, and potentially sensitive communications.
- Trust Erosion: The breach severely undermined trust in Microsoft's security infrastructure, particularly the reliability of their security keys. This will have long-term implications for the company's reputation and its relationships with customers.
- Regulatory Scrutiny: The incident attracted the attention of regulators and cybersecurity watchdogs, leading to increased scrutiny of Microsoft's security practices and potentially new regulations to prevent similar incidents in the future.
Microsoft's Response: A Flawed Approach
In response to the breach, Microsoft took several actions. However, the CRSB was highly critical of Microsoft's handling of the situation, highlighting significant deficiencies:
- Delayed Communication: One of the most glaring issues was the delayed and inadequate communication from Microsoft. Many affected customers were left in the dark for weeks, unaware of the extent of the breach and the steps being taken to mitigate it. This lack of transparency reduced trust and caused confusion.
- Insufficient Security Measures: The CRSB report criticised Microsoft for not having robust enough security measures in place to prevent such a breach. Despite being a tech giant, their infrastructure had glaring vulnerabilities that were exploited by the attackers.
- Inadequate Monitoring and Detection: The attackers were able to operate undetected for an extended period, raising serious questions about the effectiveness of Microsoft's monitoring and detection systems. The CRSB emphasised that more advanced threat detection tools and practices should have been in place.
- Questionable Incident Response: The CRSB found Microsoft's incident response to be slow and poorly coordinated. Key steps, such as revoking compromised keys and patching vulnerabilities, were delayed, exacerbating the damage caused by the breach.
CRSB's Critique and Recommendations
The CRSB's report was unequivocal in its critique of Microsoft, emphasising that the company must take significant steps to improve its security infrastructure. Key recommendations included:
- Enhanced Security Protocols: Implementing more robust security protocols to protect against similar attacks in the future. This includes better access controls, regular security audits, and more sophisticated encryption methods across the entire infrastructure.
- Improved Communication: Establishing clearer and faster communication channels with customers and stakeholders during a security incident. Transparency is crucial to maintaining trust and ensuring that all affected parties are adequately informed.
- Advanced Threat Detection: Investing in advanced threat detection and monitoring tools to quickly identify and respond to security breaches. Proactive measures, rather than reactive ones, are essential in the current threat landscape.
- Comprehensive User Training: Providing comprehensive training for employees to recognise and respond to phishing attempts and other cyber threats. Human error remains one of the biggest vulnerabilities in any security system.
Google’s Security Architecture
In contrast to Microsoft's handling of this breach, Google’s security architecture has been praised for its robustness and proactive measures. Google can also boast that it has had nothing like this happen on the platform across GCP and Google Workspace. Google’s approach to security includes:
-
- A Zero Trust Model: Google employs a Zero Trust security model, which assumes that threats could be both external and internal, thus verifying every access attempt regardless of its origin.
- Advanced Threat Detection: Google’s advanced threat detection systems are designed to quickly identify and neutralise threats. Their continuous monitoring and real-time response capabilities are state-of-the-art.
- Cloud First: Google’s own architecture was built with the cloud in mind, not with legacy on premise solutions as part of their security, meaning everything is encrypted end-to-end.
- Frequent Updates and Audits: Google regularly updates its security protocols and conducts frequent audits to ensure that all systems are protected against the latest threats. This proactive stance helps to prevent breaches before they can occur.
- Strong Communication Channels: Google has established strong communication channels to ensure that customers and stakeholders are promptly informed of any security incidents, along with clear instructions on mitigating potential impacts.
- AI Security add-on: Utilising its new Gemini AI features, files on Google Drive can be labelled automatically through AI Classification for Data Loss Prevention (DLP) and Lifecycle Management Policies within businesses.
Conclusion
The Microsoft security key breach orchestrated by Storm-0558 is a reminder of the importance of data security. The CRSB's detailed report highlights the sophisticated nature of the attack and the significant impact it had on Microsoft's infrastructure and its customers. However, the most troubling aspect is the critique of Microsoft's response, which was marred by delayed communication, insufficient security measures, and an inadequate incident response.
This breach was initially hidden behind a gated security report, only available to those paying for a premium security SKU with Microsoft. They have very obviously set themselves up as “pay-to-play” when it comes to security, with other businesses left unaware of this until it became public knowledge.
The comparison with Google's security architecture underscores the need for continuous improvement and innovation in cybersecurity on Microsoft led platforms, which means more work and more investment. As the CRSB's report makes clear, there is much work to be done by customers on Microsoft so they can effectively protect their data and maintain the integrity of their systems. it might be time to review your entire infrastructure in the wake of this breach.
To find out more, there is a full whitepaper detailing the breach. You can download that here:
To speak to us about migrating to Google Workspace for enhanced security across your platforms then please get in touch with us at: