Microsoft vs. Storm-0558

Last week Microsoft disclosed how China-based threat actor Storm-0558 managed to the secret keys for access to OWS and Outlook.com.

There were 3 things that lead to the breach.

1. A crash dump leaded a sensitive key due to an unknown race condition

Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).

2. The crash dump was moved to an internet connected debugging environment, and credential scanning tools didn't catch it

We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

3. An engineers corporate account with access to the debugging environment was compromised

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

What I find interesting about these 3 key areas is that it would seem nearly impossible for all of these things to happen in a way that would lead to a data breach. But yet, they did in fact happen. That's the problem with probabilities. There are so many "events" happening all around us that probabilistically impossible event combinations are quite common.

The same is true for application security.