• A crash dump snapshot from a consumer system in 2021 led to sensitive data being found by attackers giving them the tools they needed to execute other attacks on Microsoft corporate users.
• Multiple process failures on Microsoft’s part led to a signing key being in an environment it should never have been in.
• Microsoft has detailed how it has addressed the failings and improved its defenses to prevent a similar attack in future.

A series of failures on Microsoft’s part led to attackers being able to access the accounts of two dozen organisations as well as United States government departments. This is according to the firm itself which has detailed how attackers managed to obtain a signing key that allowed them to execute more attacks.

The whole affair began in April 2021 when a consumer system crashed. During the crash, a snapshot of the process was created known as a crash dump. This dump isn’t meant to contain sensitive information but due to what is known as a race condition (where a system attempts to perform two operations at the same time) sensitive information in the form of a signing key was written to the dump.

“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet-connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected),” Microsoft explained.

Things took a turn for the worst, however, when a bad actor compromised a Microsoft engineer’s corporate account. This engineer had access to the aforementioned debugging environment. With these compromised credentials, Microsoft alleges that the bad actor was able to find the signing key mentioned previously and they were able to execute the attack. The Redmond software giant alleges that a Chinese hacking collective it has dubbed Storm-0558 is responsible for the attacks that were perpetrated using the signing key.

However, this sequence of events is Microsoft’s best guess at what happened. Sure it’s guided by data but the firm admits that it doesn’t have logs showing that the attacker exfiltrated the data mentioned above due to its log retention policies.

For those wondering how a consumer signing key was able to access corporate accounts, Microsoft explains that it was due to its own mistakes and failures with regard to how it updated API libraries and implemented security tokens. While none of these are major oversights, together they combine into a perfect storm of failures. From how the crash dump, to the key finding its way through the developer environment to the way security keys were implemented, small failures lead to a massive problem not just for Microsoft but for its clients as well.

The firm has outlined the attack and how it is improving its processes to mitigate future damage. You can read that deep dive here but in summary, Microsoft has:

1. Identified and resolved race Condition that allowed the signing key to be present in crash dumps,
2. Enhanced prevention, detection, and response for key material erroneously included in crash dump,s
3. Enhanced credential scanning to better detect presence of signing key in the debugging environment,
4. Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation.

This incident has been met with calls of negligence by those in the information security sector as well as comments that Microsoft needs to be hit with a serious fine for its failings. While disclosing how the breach happened is commendable, it also highlights just how easy it is for sensitive information to slip through the cracks.

If anything this incident should serve as a warning to all businesses, make sure you take security seriously, you never know what an attacker could find that may end up destroying your business.