A ‘Cascade of Failures’ Led to Microsoft Exchange Online Intrusion of Summer 2023

system hacked computer image

In the summer of 2023, a Chinese hacking group tracked as Storm-0558 compromised Microsoft’s cloud, eventually leading to the breach of hundreds of thousands of emails, including those email accounts of U.S. government officials in charge of managing our relationship with China (Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.) This is according to a recent report by the Cyber Safety Review Board, (CSRB) which was established in 2022 by U.S. president, Joe Biden.

The Board didn’t mince words, stating that “this intrusion was preventable and should never have occurred” and how the security culture at Microsoft was inadequate and “requires an overhaul.”

The report details how an MSA key was stolen from Microsoft, but no one knows how or when exactly. Microsoft initially claimed it was lost in a “crash dump,” but there is no evidence of that.

Figure 1: Storm-0558 Token Abuse with Stolen 2016 MSA Key (graphic from CSRB report)

Figure 1: Storm-0558 Token Abuse with Stolen 2016 MSA Key (graphic from CSRB report)

Most folks will just read the summary, but if you make it to section, you will learn about the importance of logging in security investigations. As it turns out, many of the victims did not have logs available to investigate, because Microsoft charged a premium to collect and retain these logs:

“Victims found it difficult to investigate these intrusions after initial detection because Microsoft could not, or in some cases did not, provide victim organizations with holistic visibility into all necessary data. Although Microsoft activated enhanced logging for identified victims who did not have the appropriate license, Microsoft could not give historical logs to customers unless they already had the premium licenses at the time of the intrusion. Thus, customers could capture data from the time that Microsoft enabled additional logging capabilities but were unable to view past intrusion activity.”

The authors of the report also developed a series of broader recommendations focused on improving the security of cloud identity and authentication. Like many of my previous articles, I believe these recommendations can also be applied to audiovisual integrators who find themselves working more and more in the “Cloud.” And who in AV Land hasn’t ever used MS Exchange?

See related  Becoming UnGlued

In closing, let’s try to keep some of these in mind as our AV systems go from on-prem into the cloud.

  • Cloud Service Provider Cybersecurity Practices: Cloud service providers (and AV manufacturers, MSPs, and integrators) should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
  • Audit Logging Norms: Cloud service providers should adopt a minimum standard for default audit logging in cloud services to enable the detection, prevention and investigation of intrusions as a baseline and routine service offering without additional charge.
  • Digital Identity Standards and Guidance: Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.
  • Cloud Service Provider Transparency: Cloud service providers should adopt incident and vulnerability disclosure practices to maximize transparency across and between their customers, stakeholders, and the United States government, even in the absence of a regulatory obligation to report.
  • Victim Notification Processes: Cloud service providers should develop more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating, and recovering from cybersecurity incidents.

Stay tuned to rAVe as we dive deeper into the dark realm of cybersecurity. Next month, we will talk about the recent vulnerabilities identified in LG WebOS, which may affect thousands of smart TVs!