A US senator is calling on the Justice Department to hold Microsoft responsible for “negligent cybersecurity practices” that enabled Chinese espionage hackers to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce.
“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Ron Wyden (D-Ore.) wrote in a letter. It was sent on Thursday to the heads of the Justice Department, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission.
Bending over backward
Wyden’s remarks echo those of other critics who say Microsoft is withholding key details about a recent hack. In disclosures involving the incident so far, Microsoft has bent over backwards to avoid saying its infrastructure—including the Azure Active Directory, a supposedly fortified part of Microsoft’s cloud offerings that large organizations use to manage single sign-on and multifactor authentication—was breached. The critics have said that details Microsoft has disclosed so far lead to the inescapable conclusion that vulnerabilities in code for Azure AD and other cloud offerings were exploited to pull off the successful hack.
The software maker and cloud provider indicated that the compromise resulted from the triggering of weaknesses in either Azure AD or its Exchange Online email service. Microsoft’s Threat Intelligence team has said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion. By then, Storm-0558 had breached accounts belonging to 25 organizations.
Microsoft has used amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how the nation-state hackers tracked the email accounts of some of the company’s biggest customers. One such weakness allowed the attackers to acquire an expired Microsoft Account encryption key that’s used to log consumers into Exchange accounts. Thirteen days ago, the company said it didn’t yet know how Storm-0558 acquired the key and has yet to provide any updates since.
Microsoft said an “in-depth analysis” found that the hackers were able to use the Microsoft Account, abbreviated as MSA, key to forge valid Azure AD login tokens. While Microsoft had intended MSA keys to sign only tokens for consumer accounts, the hackers managed to use it to sign tokens for access to Azure AD. The forgery, Microsoft said, “was made possible by a validation error in Microsoft code.”
Wyden called on US Attorney General Merrick B. Garland, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, and Federal Trade Commission Chair Lina Khan to hold Microsoft accountable for the breach. He accused Microsoft of hiding the role it played in the SolarWinds supply chain attack, which Kremlin hackers used to infect 18,000 customers of the Austin, Texas, maker of network management software. A subset of those customers, including nine federal agencies and 100 organizations, received follow-on attacks that breached their networks.
He likened those practices in the SolarWinds case to those that he said led to the more recent breach of the Departments of Commerce and State and the other large customers.
In Thursday’s letter, Wyden wrote:
Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident. First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications. Second, as Microsoft pointed out after the SolarWinds incident, high-value encryption keys should be stored in an HSM, whose sole function is to prevent the theft of encryption keys. But Microsoft’s admission that they have now moved consumer encryption keys to a “hardened key store used for our enterprise systems” raises serious questions about whether Microsoft followed its own security advice and stored such keys in an HSM. Third, the encryption key used in this latest hack was created by Microsoft in 2016, and it expired in 2021. Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised. And authentication tokens signed by an expired key should never have been accepted as valid. Finally, while Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits. That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.
Wyden’s remarks came six days after researchers from security firm Wiz reported that the MSA key acquired by the hackers gave them the ability to forge tokens for multiple types of Azure Active Directory applications. They include all applications that support personal account authentication, such as SharePoint, Teams, OneDrive, and some custom applications.
“The full impact of this incident is much larger than we Initially understood it to be,” the Wiz researchers wrote. “We believe this event will have long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud. We must learn from it and improve.”