- The Weekend Byte
- Posts
- The CSRB Scolds Microsoft for a Lack of Security Culture
The CSRB Scolds Microsoft for a Lack of Security Culture
The results of an independent review of Microsoft's security practices
We’re coming off the high of one of the craziest near-miss cybersecurity issues we’ve seen in a long time. And what better way to ease ourselves back into everyday life than a scathing review of Microsoft's security practices…but not from me, from an independent board. Oh goodie!
Today we’re covering:
Microsoft gets in trouble
A crazy identity theft story
ALPHV/BlackCat moves their stolen money
-Jason
Spotlight
Microsoft Gets a Scolding
Microsoft found themselves in the principal’s office getting a good old-fashioned scolding. The wrist slap came from the Cyber Safety Review Board (CSRB), part of the Department of Homeland Security. The board was created based on an executive order from Joe Biden. Their directive? To “review and assess significant cyber incidents and make concrete recommendations that would drive improvements within the private and public sectors.”
We know Microsoft has been dealing with a growing number of attacks. Most recently, Russia hacked into their email accounts. But the CSRB’s report was for a different hack—one that happened in May 2023. In that attack, Chinese state-sponsored threat actors gained a crazy amount of access that allowed them to access any customer email account using Outlook Web Access in Exchange Online (OWA) and Outlook.com—yes, ANY Microsoft 365 customer’s emails.
Let’s recap what happened and the “constructive feedback” the CSRB had for Microsoft.
The earliest evidence of compromise occurred in May 2023. Here’s a timeline of known activity:
Before May 2023: The threat actor obtained an MSA signing key (more on this later). It’s unknown how or when they stole the signing key.
June 15, 2023: The US State Department detected unauthorized access to their email accounts. They notified Microsoft the next day.
June 19, 2023: Microsoft began notifying other victims they identified in their initial investigation.
June 24, 2023: Microsoft plugged the root issue cutting off the attacker’s ability to operate.
July 4, 2023: Microsoft began notifying additional victims identified in their investigation.
Let’s talk about the “key” to the attack. It was a key. Good talk. Oh, you want more? Well, more specifically, it was a Microsoft account (MSA) consumer signing key. This signing key creates authentication tokens to access Microsoft resources. Think of it like a doctor’s prescription pad. They use it to write scripts for drugs. The pharmacy sees the script, trusts it’s legit, and gives the drugs to someone. But here, instead of a pharmacy, it was any Microsoft customer email account.
Thanks to a Microsoft coding error, the attacker used the stolen MSA consumer signing key to issue an authentication token to their target’s email, which they could then access.
With a buffet of unlimited access to any email account for any email account, the threat actor was deliberate. They accessed 503 individual email accounts for up to 25 organizations, including the U.S. Department of State, the U.S. Department of Commerce, and the U.S. House of Representatives.
The CSRB had much to say about this incident and Microsoft’s security practices. Here’s a summary of the feedback:
A cascade of avoidable errors.
Failure to detect the theft and use of their “cryptographic crown jewels.”
Poor M&A security practices when granting access to Microsoft resources.
Not prioritizing rearchitecting legacy infrastructure to address the current landscape.
Weak security practices compared to other cloud service providers.
Lack of transparency and honesty in public statements.
The importance and significance of their products require the highest standards of security, accountability, and transparency.
This one quote sums it up pretty well…
“Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management”
Ouch…but it’s important to remember that Microsoft is a MAJOR target. So, yes, they should have done many things better, and considering they’re a target, they should be more experienced in making security-driven decisions. But it’s a big company, and securing it is a challenging, if not impossible, job.
But I like where they left things with Microsoft. They said they wanted to see a plan and accountability to execute against the plan. Now that’s something every security program could use.
News
What Else is Happening?
🤯 An identity theft victim was arrested and jailed for over a year while trying to prove his real identity. It stemmed from a 30-year identity theft scheme where a previous co-worker stole the victim’s identity and built an entire life in the victim’s name. Insane.
🔄 Another day, another VPN vulnerability. This time, we’re back to Ivanti with a vulnerability that could lead to remote code execution on the device. The company stated they weren’t aware of any customers being impacted yet, but it’s only a matter of time. They also stated their commitment to security…
🥖 Panera Bread’s IT systems went stale a few weeks back. This week, we learned it was because of a ransomware attack that encrypted the company’s servers. It impacted the ability to accept credit cards.
🍪 Google Chrome is stepping up its game with Device Bound Session Credentials (DBSC). This helps lock session cookies to the device authentication occurred on. If implemented at large, this could help reduce the impact of stolen session cookies.
💰️Wait, Russia is taking action against cybercriminals? In what I perceive to be a rare occurrence, the General Prosecutor’s Office of the Russian Federation (that’s a mouthful) approved an indictment against six people who stole over 160K credit cards from “foreign citizens.” Umm, thanks, Russia?...about time…
🗑️ As part of a class-action settlement, Google agreed to delete billions of data records tied to users’ browsing activities during private incognito browsing. One can only imagine what the bulk of that data was related to…
💸 After their exit scam, ALPHV/BlackCat is taking additional steps to obfuscate the funds to pocket the $22M ransom payment.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week!
Reply