SolarWinds, China, and Microsoft's Signing Keys

This is bad.

Chinese hackers have gained access to a lot of networks hosted on Microsoft Azure. They used stolen signing keys likely obtained via the SolarWinds hack.

Bruce has some interesting insight:

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

Bruce Schneier | Wiz