I blame Microsoft
It doesn't matter if we're talking about state actors or run-of-the-mill criminals: Microsoft should not make their life easier with shoddy coding.
US Commerce Secretary Gina Raimondo and other State and Commerce Department officials were reportedly among the victims of a China-based group's attack on Microsoft's hosted email services. The widespread reports cite "unnamed officials" as their source and note that the US State Department denies that any classified systems …
Boooooooooring!
Can't you come up with anything better mate? You know, like better than the usual: " Duh.... um.... duh.... erm.... oh.. erm Microsoft... erm they're rubbish, must be shoddy code. Just look at all the bloated software they write! Duhh... erm... "
Yeah, it's all down to Microsoft writing shoddy code. Says you: a person who doesn't understand what they are talking about, wouldn't know what shoddy code was if it jumped up and slapped them in the chops, and simply is not skilled or experienced enough to ever work as a Microsoft developer.
But yeah, shoddy code. Right!
Most true an established facts are boring, sorry.
Gravity exists - boring. An object in motion continues to do so until other forces impact them, like Teslas running into emergency vehicles /and/or children - boring. Microsoft writing exceptionally shoddy code for the last 30 years and so party to over 99% of every. single. ransomware. and. hacking. attack. - boring.
But fact.
The fact that MS365 and Azure have the by far worst uptime rates of any cloud provider should have already told you that Microsoft's software stack is very likely made up from old toilet paper cores and bubblegum, surrounded by quicksand.
Which is also why we see truly outstanding clusterfucks like OMIGOD only from Microsoft and not the other cloud providers.
Of course, that's also all just in addition to the fact that Microsoft already had a long track record of writing shitty code even before cloud was a thing, as also evidenced by the uncountable fuck-ups and mis-steps when trying to patch their wobbly operating systems and shoddy applications. I mean, really, they even fucked up basic stuff like printing several times, which truly is an art in itself.
It's probably boring for you because deep down you already know that the other posters are correct, but then who knows maybe your job depends on not having a too close look at what services you or your employer subscribe to.
The only thing more idiotic than Microsoft's software stack are business leaders who entrust their business to this shit show.
For email, yes, but cloud storage has indeed made life a lot easier for data thieves - one system, one security structure, and no direct access to traffic, audit and access records.
As for email, cloud based email has made it possible to set up world's biggest intercept operation ever.
>” email servers have always had DNS records pointing at them”
If the email server is at xyz.Microsoft.com what are the odds of it not being Exchange compared to some random email serviced lurking behind a port 25 on a random IP address?
Basically, I can search Shodan (*) or walk through DNS records and then face a potentially different security setup for each email server Shodan identifies as exchange, or target MS and with a high level of certainty know the security setup etc is common to all instances, so find a weakness in one…
(*) As part of my security setup, I check Shodan, as yet it hasn’t identified my on-prem email server as Exchange…
Entry was forced by forging email authentication tokens with an acquired Microsoft accounts (MSA) consumer signing key.
And how did an MSA consumer signing key get leaked? It doesn't help to revoke the one key if the leak isn't detected and plugged.
It's like picking up the quarter that fell out of the pocket with a hole in it, and putting it back in the same pocket.
Microsoft’s messaging on this is dishonest.
How did their MSA signing key get “acquired”?
How could they have such a fundamental vulnerability as allowing tokens signed by a key for a consumer service access their enterprise service (OWA)?
Two massive and inexcusable fails.
I’ve been working with their cloud products, at scale, for years now and their constant dropping of the ball is starting to get me looking at competitors.
Stop focusing all your effort on AI and start fixing your dearth of HI Microsoft.
How did their MSA signing key get “acquired”?
Yes, and more importantly, how will that be prevented in future? Microsoft seem to have reasonable measures in place to detect and assess the problem, as well as the processes to mitigate it, but prevention is better than cure.
How could they have such a fundamental vulnerability as allowing tokens signed by a key for a consumer service access their enterprise service (OWA)?
I think "consumer" in "consumer signing key" refers to a service that validates and uses (ie consumes) the token that was produced and then signed using that key, not "consumer" as in "consumer-grade".
Another important question is, given the key provided "access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals", what else could have been accessed with it? If a single compromised key allows access to email of more than one organisation, what are the chances it was limited to those?
And how did an MSA consumer signing key get leaked?
I suspect someone has found the US government API to their authentication and is using it for their own entertainment and profit.
I hope I am wrong, but as far as I can see Microsoft has made itself party to authentication processes by means of Office 365 and Windows. As last stage in the authentication chain they can generate an access token at will, so if agency X wants to look at protected contents that now no longer lives in a local DC but in a far flung cloud thing (that you don't get access records to) they could just give MS the email address and have them generate the required credential token, conveniently bypassing pesky passwords and 2FA demands.
Nobody would be able to detect it other than Microsoft who has of course every reason not to look too closely.
There should never be ANY method by which a signing key could be "acquired".
If this was actual theft, then the RCA points to poor architecture design on how their signing keys are stored & utilized. Who has access, etc. And it baits the question...How secure are the rest of their signing keys? And what evidence do they have that they were not ALSO compromised? Just because this one was caught being used does not mean there are not other breaches going unnoticed.
If this was a willful release, then there should have been a disclosure notifying customers of the problem. They should not have waited until after the subsequent attack to admit the breech.
The stupid thing is how many times I have heard "Microsoft security is good enough". Sure, it is good enough to keep pot-luck Susie from stealing your secret cake recipe. But not good enough for anything of value - from a consumer's financial information to corporate secrets to government secrets. We really need to stop trusting Microsoft.
Oh, hey, Reg just posted today an article about MSFT releasing Entra "Permissions Management and Verified ID". Yeah, let's all jump on that bandwagon and trust Microsoft with our identification! What could possibly go wrong?
Similar comments have been made by a number of security experts, such as the editors of SANS NewsBites. There's a lot of concern over the lack of information in the report and possibly explanations. One of the SANS editors (Frost, maybe) noted that the only obvious "leaked key" he could think of offhand in this scenario is the key used to sign JWTs, and losing control of that would be bad indeed.
Thanks for the English lesson. If Microsoft knowingly gave Chinese Intelligence a signing key for their consumer email service (and yes, we can all imagine scenarios where this might be required) without ensuring that same key was unable to be used to forge access tokens for their enterprise service in other geographies, then we’ve got a “fired C-Suite” level of fail right there.
Hotmail, MSN, Live, Outlook, Microsoft 365, Exchange Online, call it what you will - it's still the same product with the same sticky-tape-and-string coding that Microsoft is famous for.
In corporate marketing parlance, "professional" and "enterprise" are terms used to infer higher pricing (and if you're lucky better support), not "better product." If a "WordPress Enterprise" CMS was to be offered, would you trust it for use on a critical site?
"So regardless of Microsoft bashing"
It is not bashing when you tell the truth about their absolute garbage products they produce. What a joke until something better comes along you say at this point anything is better than the virus delivery system that masquerades as a operating system that Microsoft delivers constantly FOR literally decades. And its products that are so full of these holes anyone who uses them should be fined massive amounts of cash for the chaos they cause to their customers. A million dollars per person, per incident just might get those morons attention. A million affected a billion in fines to both the companies using the software and the producer of it, this lets the market decide how much of the costs they wish to carry from using that garbage.
Savannah, where is your homework?
I'm locked out of my home PC, Sir. Unnamed officials have told me that it is down to Chinese state hackers. My Dad said it was just Microsoft, but the unnamed officials said he was 'off narrative', took him away for a chat, and when he limped back, he confirmed that it was the Evil Commies. I was hoping for your support Sir, unless of course you are a secret Evil Commie. Have you now or have you ever been a member of the Communist Party of East Norfolk, Sir?
What exactly is this consumer signing key (MSA) normally used for and how can it be leveraged to grant access to Exchange email. Is it wise for every government department to be using the exact same email system. As when one department gets hacked, they all gets hacked.
“observed MailItemsAccessed events with an unexpected ClientAppID and AppID in Microsoft 365 Audit Logs”
CyberWaffle .. has anyone ever managed to makes sense of Windows event logs?