Der Gau: Ein Microsoft Cloud-Schlüsselverlust, irgendwann zwischen 2021 und 2023


Der Gau: Ein Microsoft Cloud-Schlüsselverlust, irgendwann zwischen 2021 und 2023

In the summer of 2023, US authorities uncover a significant hack by Chinese malicious actors against US federal ministries. The attackers succeeded in spying on the email accounts of high-ranking civil servants. The attack vector was a stolen key, a so-called "golden ticket". Microsoft's investigation still leaves some questions unanswered. Dirk Michael Ockel, founder and security expert at Complion, summarizes the incident and what is known about it in this article.

The timeline of events

June 2023: A US federal agency reports unlawful access to emails in the Microsoft Cloud to CISA (the equivalent of the German Federal Office for Information Security). It turns out that an attacker had used a signature key and an authentication token to gain access to "25 government agencies and other networks" (according to Microsoft). Using Powershell and Python scripts, large quantities of emails, attachments and directory information were presumably stolen from the Microsoft Exchange Online/OWA and Outlook systems. The attacker is believed by the Americans to be a known Chinese pro-government actor. The signature codes were taken from two-year-old files in Microsoft's internal systems, namely a crash dump that developers typically create during the development phase of software in order to analyze program errors that occur during the execution of the code.

As a result, Microsoft very quickly made extended logging functionalities, which were actually subject to a charge, generally available to its customers. The incident was also analyzed in detail for weeks and explanations were published, the wording of which shows the co-authorship of the corporate legal departments. With these explanations, we as users can understand the error chain (or better, the error network): a.: that a crash dump was generated; b.: that this is located in less secure development environments; c.: that the stolen key worked due to other Microsoft errors for more extensive access to business customer data for which it was never generated; d.: finally, why the key was still accepted despite the expiration date having passed. So far, so bad.

The origin

However, the origin of everything remains a mystery: how was the attacker able to obtain the login details of the Microsoft developer (who was involved in creating the crash dump)? This may have happened around two years ago. What else happened after that? The manufacturer says two things about this: firstly, that they are confident that no further thefts from Microsoft systems would have taken place, as they "analyzed the attacker's source code". It also states that the log files for the original compromise are no longer available. So we don't even know whether it was stolen login data of the developer or an insider threat or, for example, a zero day bug that nobody (except those who exploited it) knew about.

This situation, i.e. not (or no longer) knowing the start of the error chain, is very unsatisfactory for Microsoft users. A breach in the global cloud storage of the major hyperscalers is a disaster.

The consequences

Within the association, we have prepared and made available extensive analyses and assessments of the incident. Over one hundred VOICE member companies have discussed this intensively and repeatedly in our CIO experience exchange conferences. A similar number to Christmas 2021 about Log4Shell. Now it's time to draw conclusions.

What consequences could this have: Operationally, of course, the further hardening of cloud systems, as well as extended monitoring and logging. Strategically, however, the incident could lead to a differentiated cloud strategy for large user companies: Multi-cloud will definitely be a consequence, as well as the search for open source alternatives. There will also be increased demands from associations for minimum standards for cloud systems and auditing.

What remains: the residual risk. Both cloud applications and IT systems that are publicly accessible are vulnerable. User companies will assess and act on the residual risks from cloud use in an even more differentiated manner.


Author: Dirk Michael Ockel