SlackDocumentReading - ConnorEast/Tech-Journal GitHub Wiki

Review of Summer 2023 MEO Intrusion PDF Notes:

Microsoft Exchange Online Intrusion was done by a group known as Storm-0558 (Chinese Government based affiliate). After this occurred the Cyber Safety Review Board (CSRB) conducted research to determine how this occurred. The state department found the intrusion first and after deciding it was likely malicious, they sent a request to Microsoft to investigate. This led to Microsoft confirming the breach and that it was caused by individuals who had gained access through State's Outlook Web Access (OWA). In total 21 organizations and 503 related users were impacted. Someone was self signing keys with a retired MSA key, which was then being used to gain access to enterprise email accounts. It has not been determined how Storm-0558 got access to the 2016 MSA key.

image

In the end they determined that the breach was preventable. They found the following:

  • A signing key was stolen which led tostorm-0558 gaining full access to any Exchange online account in the world.
  • Microsoft's code had a lot of errors which allowed the key to be stolen
  • Other Cloud providers had better security controls then Microsoft.
  • Microsoft failed to detect a compromised employee's laptop before allowing it to connect to their servers.
  • A compromise was found that allowed state actors to access highly sensitive corporate emails, source repositories, and internal systems.
  • The size of the corporation and its stranglehold on the world of critical government and economic security means they must be held to the highest standards of security, accountability and transparency.

During the review it was found that Microsoft's corporate culture devalued security and risk management. Some of the major recomendations given to Microsoft are as follows:

  • Cloud Service Provider CyberSecurity Practices ---> Service providers must have modern controls and baseline practices dictated by a rigorous threat model and taking into account digital identity and credential systems.
  • Audit Logging Norms ---> Default audit logging should be distributed to all cloud service users, without charge, to enable Detection, Prevention, and Investigation.
  • Digital Identity Standards and Guidance ---> Implement identity standards in order to reduce identity risks that are commonly exploited in the modern threat landscape.
  • Transparency ---> The company must disclose practices to maximize transparency. This also includes notifying individuals who would have been effected.
  • Security Standards and Compliance Frameworks ---> The government should establish a framework for doing special review of microsoft based cloud services.

How did they Remedy this failure?

  1. They revoked the keys ability to sign tokens and they cleared caching data.
  2. They updated the way Exchange Online accepted tokens, they blocked requests that would exploit the vulnerability.
  3. They updated all system packages.
  4. They rotated Signing keys.
  5. Enhanced data monitoring to alert when suspicious activities occur on identity systems.
  6. They made guides for organizations and users to follow to improve their safety.