Security News > 2024 > April > A “cascade” of errors let Chinese hackers into US government inboxes

A “cascade” of errors let Chinese hackers into US government inboxes
2024-04-03 13:37

Microsoft still doesn't known how Storm-0558 attackers managed to steal the Microsoft Services Account cryptographic key they used to forge authentication tokens needed to access email accounts belonging to US government officials.

"The stolen 2016 MSA key in combination with [a] flaw in the token validation system permitted the threat actor to gain full access to essentially any Exchange Online account," CISA's Cyber Safety Review Board noted in a recently released Review of the Summer 2023 Microsoft Exchange Online Intrusion.

"Microsoft does not know when Storm-0558 discovered that consumer signing keys could forge tokens that worked on both OWA consumer and enterprise Exchange Online. Microsoft speculates that the threat actor could have discovered this capability through trial and error."

In May and June 2023, Storm-0558 - a hacking group associated with the Chinese government - compromised Microsoft's cloud environment and accessed cloud-based mailboxes of US State Department officials, Commerce Department's officials, as well as users at other government and private sector organizations in the US, the UK, and elsewhere.

"The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft's security culture was inadequate and requires an overhaul," the CSRB stated, and advised Microsoft to make its CEO and Board of Directors focus on the company's security culture and security-focused reforms across the company and products.

"The Board recommends that Microsoft's CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources."

News URL