Microsoft explains how a crash dump led to a major security breach in Outlook
Microsoft disclosed on Wednesday 6 September, that a threat actor based in China and known as Storm-0558 obtained the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer's corporate account. This allowed the threat actor to do both things.
This gave the adversary the ability to steal the key and access a debugging environment that contained information about a crash of the consumer signing system. The malfunction of the computer system occurred in April of 2021. The Microsoft Security Response Center (MSRC) stated in a post-mortem report that "A consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process ('crash dump')"
"It is not necessary for the signing key to be included in the crash dumps, which obscure sensitive information. In this instance, the key was able to be included in the crash dump because of race conditions. Our systems were unable to identify the presence of crucial information in the crash dump.
The company that makes Windows has stated that the crash dump was moved to a debugging environment on the internet-connected corporate network. It is from this location that it is suspected that Storm-0558 obtained the key after breaking into the engineer's corporate account.
Because of the policies that Microsoft has in place regarding the retention of logs, it is currently unknown whether this is the precise mechanism that was used by the threat actor. Microsoft has stated that it does not have logs that offer concrete proof of the exfiltration.
The report published by Microsoft makes additional references to spear-phishing and the use of malware that steals tokens, but it does not go into detail regarding the methodology behind how the engineer's account was compromised in the first place, whether other corporate accounts were hacked, or when the company realized that its security had been breached.
Despite this, the most recent turn of events provides some insight into a chain of security blunders that culminated in the signing key falling into the hands of an expert actor with a "high degree of technical tradecraft and operational security."
Microsoft has given the hacking group known as Storm-0558 the name Storm-0558 as a moniker. This hacking group has been linked to the breach of approximately 25 organizations by obtaining unauthorized access to Outlook Web Access (OWA) and Outlook.com. The consumer signing key was used by this hacking group.
An improper validation of the key that allowed it to be trusted for signing Azure AD tokens was identified as the cause of the zero-day vulnerability. Evidence suggests that the malicious cyber activity started one month earlier than it was discovered, in June 2023, when it was investigated.
This was made possible because the "mail system would accept a request for enterprise email using a security token signed with the consumer key," which in turn made the previous point possible. Microsoft has since resolved the "problem" that was being experienced.
After further investigation, cloud security company Wiz revealed in July that the stolen Microsoft consumer signing key may have been used to gain unauthorized access to a variety of other cloud services. Microsoft, on the other hand, stated that it did not discover any additional evidence of unauthorized access to applications that were not email inboxes. It has also widened access to security logging in response to criticism that the feature was restricted to customers who had Purview Audit (Premium) licenses, thereby preventing others from accessing forensics data. This criticism was brought about by the fact that the feature was only available to those customers.