Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join Jim Reavis, CEO of CSA, & AT&T's top advisors on May 22 in Seattle for key security insights!

Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Home
Industry Insights
Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Blog Article Published: 05/02/2024

Originally published by Oasis Security.

Written by Amit Zimerman, Co-founder & CPO, Oasis Security.

Last week, the DHS Cyber Safety Review Board, established by President Biden, released a scathing report exposing critical oversights by Microsoft that enabled the targeted cyberattack by Chinese hackers on top-tier US government officials' email accounts.

This report, the third and most comprehensive review conducted by the independent board, serves as a vital resource for government officials and the broader security community to bolster the protection of their digital networks and infrastructure. Chaired by Robert Silvers, the Department of Homeland Security's undersecretary for policy, the board brings together a diverse array of government and industry experts.

TL;DR based on the report’s findings:

  • Several “avoidable errors” in Non-human Identity Management practices led to the breach, including failure to decommission an old signing key, use of a key across business and consumer networks, and oversight in non-human identity risk assessment of acquired firms.
  • A highly privileged private key that was “kind of forgotten”, was left unrotated for over 6 years. This is a common toxic combination of issues that hard to detect and exponentially increases risk
  • Microsoft's shift from manual to automatic key rotation is a positive step and underscores the necessity of prioritizing automation in Non-Human Identity Management.
  • DHS plans to launch initiatives and meet with companies to improve security standards, emphasizing the importance of transparency and proper Non-Human Identity management.

The Breach

‍Detected in June and attributed by US intelligence agencies to China's Ministry of State Security (MSS), exploited vulnerabilities within Microsoft's cloud infrastructure. This allowed MSS hackers to manipulate credentials and gain unauthorized access to emails belonging to key figures in the US Cabinet, as well as other prominent State Department officials.

‍In the spring of 2023, a sophisticated cyberattack orchestrated by an entity identified as Storm-0558 compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals globally. Associated with espionage activities linked to the People’s Republic of China, Storm-0558 exploited authentication tokens associated with a Microsoft key established in 2016. This intrusion had profound ramifications, affecting senior US government officials.

‍The compromise of these critical keys, essential for ensuring secure access to remote systems, equates to acquiring the crown jewels for any cloud service provider. In this instance, the stolen key granted the adversary unprecedented access, enabling Storm-0558 to infiltrate Exchange Online accounts worldwide and exert control over sensitive information and systems.

Storm-0558 Microsoft breach | Non-Human Identity Security


Breach Timeline

The Board's investigation reveals that the intrusion commenced in May 2023, with known adversaries' techniques addressed by the end of June 2023. Here's a high-level timeline, with a more detailed chronology provided in Appendix B.

May-June 15, 2023: Initial Intrusion, Pre-Discovery Phase

Between May and mid-June, Storm-0558 compromised Microsoft Exchange Online mailboxes of certain victims in the U.S., the U.K., and other locations. However, it's noted that Microsoft's window of compromise might have begun earlier than May 15, as per standard 30-day log retention practices.

June 15-19, 2023: Detection by Department of State

State authorities detected anomalous activity on June 15, informing Microsoft on June 16. With Microsoft's support, State conducted an investigation over the holiday weekend. By June 19, it was confirmed that a threat actor had accessed six State email accounts, including those linked to the Secretary of State's upcoming trip to Beijing.

June 16-26, 2023: Broadening of Investigation; Department of Commerce Identified as Victim

State reached out to Microsoft, CISA, and the FBI. CISA personnel, already present at State, began proactive threat hunting, while the FBI shared details about the threat actor. Microsoft initiated an investigation on June 16, presuming that Storm-0558 gained entry via State's OWA. Subsequently, Microsoft notified victim organizations in the U.K. and identified the Department of Commerce as another victim by June 23.

June 24, 2023: Closing the Attack Vector

Microsoft invalidated the stolen key used by the threat actor on June 24, halting Storm-0558's access to email accounts. Following this action, Microsoft observed Storm-0558 attempting phishing and other methods to regain access to compromised email boxes.

July 4, 2023 and Beyond: Continued Victim Notification and Remediation

Microsoft commenced victim notification during its initial investigation, a process that continued for weeks. Due to the nature of the intrusion, Microsoft was primarily responsible for identifying most victims and collaborated with the U.S. government to provide necessary support

Storm-0558 Microsoft breach


Key takeaways

#1 NHI Management needs to become an integral part of enterprise identity programs. The Microsoft breach is just the latest example in a rapidly growing trend of attacks that exploited unmanaged NHIs. Even technologically advanced and security aware organizations, such as Microsoft, can fall victim of attacks to unmanaged NHIs.

#2 Organizations should adopt practices and tools that keep both operational continuity efforts and security best practices aligned, and not in opposition. In 2021, following a large production outage, Microsoft had stopped their manual key rotation processes, leaving the key that was later compromised, as well as many others, much more vulnerable. Prioritizing operational continuity over security posture is a very common pattern that, in most cases, is caused by lack of contextual visibility which leads to inaction. The complexity and scale of NHIs requires purpose built tools that can automatically discover NHIs, create system dependency maps and identify high risk priorities

#3 Automate, automate, automate. When it comes to NHI management, automation is key because the scale is so vast. Companies can’t disregard the limitations of human driven processes, which are more prone to error and operationally expensive. While adding automating tasks like secret rotation typically requires integrating new tools and capabilities in your stack, the investment is absolutely critical for the long term success of the business. Microsoft's decision to move from manual to automatic key rotation is the right move to make and, had it been implemented sooner, it could have prevented the attack with undeniable business benefits.

#4 Rotation of keys and secrets is only one part of the larger challenge of complete non-human identity lifecycle management. While the latest report highlights several shortcomings, cloud transformation through vendors such as Microsoft still allows organizations to improve agility and, with the right approach, security posture. As environments become increasingly distributed spanning multiple clouds and hundreds of interconnect services, Non-Human Identities grow exponentially in scale. Consequently, security and operations teams need to adopt the right tools that enable effective cooperation across every phase of the lifecycle from provisioning, to rotation and decommission.


Conclusion

‍The revelations from this incident underscore a fundamental truth within today's intricate digital landscape: the management of non-human identities is a complex task that necessitates automation. Microsoft's breach, characterized by a series of preventable errors, starkly emphasizes the vulnerabilities associated with manual approaches to identity management.

‍Non-Human Identities serve as keystones in ensuring secure access to vital systems and resources. However, the sheer volume and intricacy of these identities render manual oversight impractical. Without the implementation of automated solutions, organizations are left susceptible to numerous risks, including unauthorized access, compromised credentials, and systemic vulnerabilities.

Cloud Key ManagementIdentity and Access ManagementTop Threats

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
AI Organizational Responsibilities
Save the date for SECtember.ai
The Six Pillars of DevSecOps
Trending This Week
#1 Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability
#2 The 5 SOC 2 Trust Services: Criteria Explained
#3 Cloud Security Threats to Watch Out for in 2023
#4 Zero Trust and AI: Better Together
#5 The Top Cloud Computing Risk Treatment Options
Level up with Cloud Infrastructure Security Training
Related Articles:
Securing Generative AI with Non-Human Identity Management and Governance

Published: 05/16/2024

Navigating Cloud Security Best Practices: A Strategic Guide

Published: 05/15/2024

Unveiling the Dark Arts of Exploiting Trust

Published: 05/14/2024

The Importance of Securing Your Organization Against Insider and Offboarding Risks

Published: 05/14/2024