In a recent incident, a key leak within Microsoft’s internal systems led to a thorough review and reinforcement of security protocols. This report highlights the details of the incident, the actions taken by the cybersecurity team, and the measures implemented to prevent similar issues in the future.
The Key Leak Incident
In April of 2021, a system crash in the consumer signing department led to a snapshot being taken of the crashed process – commonly referred to as a ‘crash dump’. By design, crash dumps are programmed to redact sensitive information, discluding the signing key. However, at this instance, due to an identified race condition, the key was found within the crash dump.
Data Transfer
The oversight of key presence in the crash dump was not initially detected due to a flaw in our system, and the crash dump was transferred from an isolated production network to an internet connected corporate network for debugging purposes in line with standard protocols. Similarly, our credential scanning methods also missed this presence.
In light of these findings, modifications have been introduced to enhance detection, prevention and response to key material erroneously included in crash dumps.
Account Compromise
Following this chain of events, a Microsoft engineer’s corporate account was compromised by the threat actor codenamed ‘Storm-0558’. This account was inadvertently given access to the debugging environment, which wrongly contained the key in the crash dump.
The compromise coupled with access to the key in the environment provided a probable route for the malicious actor to exfiltrate the key. Unfortunately, due to existing log retention policies, there is no specific evidence of this exfiltration.
Intersecting Domains: Consumer Key and Enterprise Mail
The unchecked presence of the signing key was further exacerbated when the mail system accepted a request for accessing enterprise emails using a security token signed with the consumer key.
The issue here was two-fold, with Microsoft providing an API to validate signatures without automatically performing scope validation, coupled with developers failing to add required issuer/scope validation on their part.
The issue has since been rectified with automation of key scope validation, updated libraries and clarified documentation.
Learning and Improving
The events that played out were an unfortunate failure of multiple checks and balances. However, in response to the incident, multiple corrective actions have been taken.
Incident Rectifying Measures
- The race condition that allowed the signing key into crash dumps has been identified and resolved.
- There has been an improvement in prevention, detection, and response to key material erroneously being included in crash dumps.
- Credential scanning methods have been enhanced for better detection of key presence in debugging environments.
- For added security, libraries have been enhanced to automate key scope validation in authentication libraries.
In conclusion, while the incident was regrettable, it has led to significant improvements in our security protocols and safeguards.
At Microsoft, we’re committed to maintaining a secure environment for all our operations, and we will continuously review and upgrade our infrastructure to prevent such incidents in the future.
For more details on the incident and corrective actions taken, please visit: Microsoft Storm-0558 Incident Review
Tags: #Microsoft #Cybersecurity #KeyLeakIncident #IncidentResponse
[Reference Link](https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/)