Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Crash Dump Error: How a Chinese Espionage Group Exploited Microsoft’s Mistakes

Microsoft reveals how a crash dump from 2021 inadvertently exposed a key that Chinese cyberspies later leveraged to hack US government emails.

NET vulnerability CVE-2023-38180 exploited

Microsoft has published a post-mortem detailing multiple errors that led to Chinese cyberspies hacking into US government emails, blaming the embarrassing incident on a crash dump stolen from a hacked engineer’s corporate account.

The crash dump, which dated back to April 2021, contained a Microsoft account (MSA) consumer key that was used to forge tokens to break into OWA and Outlook.com accounts.

“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump,” Microsoft explained.

The software giant said the race condition issue has since been corrected.

Redmond also acknowledged a failure of its internal systems to detect sensitive secrets leaking from crash dumps. “The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected),” the company said.

The company said the 2021 crash dump with signing key was subsequently moved from the isolated production network into its debugging environment on the internet connected corporate network. 

While this is consistent with Microsoft’s standard debugging processes, Microsoft fessed up to another error where its credential scanning methods did not detect the presence of the key.

Advertisement. Scroll to continue reading.

“After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company explained.

In a stunning twist, Microsoft said that due to log retention policies, it does not have logs with specific evidence of this exfiltration by this actor, noting that the post-mortem is based on “the most probable mechanism by which the actor acquired the key.”

Microsoft’s admission that it does not retain logs to spot this type of activity follows intense criticism of the M365 licensing structure that essentially charges extra for customers to access forensics data during active malware investigations.

Microsoft has since announced plans to expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data.

The compromise, which led to the theft of email from approximately 25 organizations, prompted a scathing letter from U.S. senator Ron Wyden calling on the government to hold Microsoft responsible for “negligent cybersecurity practices” that enabled “a successful Chinese espionage campaign against the United States government.”

Last month, the U.S. government said its Cyber Safety Review Board (CSRB) would conduct an investigation into the Microsoft cloud hack and expand to “issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers”.

Related: US Senator Accuses Microsoft of ‘Cybersecurity Negligence’

Related: Microsoft Cloud Hack Exposed More Than Emails

Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.