Cloud 101CircleEventsBlog
Get 50% off the Cloud Infrastructure Security training bundle with code 'unlock50advantage'

Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Published 05/02/2024

Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Originally published by Oasis Security.

Written by Amit Zimerman, Co-founder & CPO, Oasis Security.

Last week, the DHS Cyber Safety Review Board, established by President Biden, released a scathing report exposing critical oversights by Microsoft that enabled the targeted cyberattack by Chinese hackers on top-tier US government officials' email accounts.

This report, the third and most comprehensive review conducted by the independent board, serves as a vital resource for government officials and the broader security community to bolster the protection of their digital networks and infrastructure. Chaired by Robert Silvers, the Department of Homeland Security's undersecretary for policy, the board brings together a diverse array of government and industry experts.

TL;DR based on the report’s findings:

  • Several “avoidable errors” in Non-human Identity Management practices led to the breach, including failure to decommission an old signing key, use of a key across business and consumer networks, and oversight in non-human identity risk assessment of acquired firms.
  • A highly privileged private key that was “kind of forgotten”, was left unrotated for over 6 years. This is a common toxic combination of issues that hard to detect and exponentially increases risk
  • Microsoft's shift from manual to automatic key rotation is a positive step and underscores the necessity of prioritizing automation in Non-Human Identity Management.
  • DHS plans to launch initiatives and meet with companies to improve security standards, emphasizing the importance of transparency and proper Non-Human Identity management.

The Breach

‍Detected in June and attributed by US intelligence agencies to China's Ministry of State Security (MSS), exploited vulnerabilities within Microsoft's cloud infrastructure. This allowed MSS hackers to manipulate credentials and gain unauthorized access to emails belonging to key figures in the US Cabinet, as well as other prominent State Department officials.

‍In the spring of 2023, a sophisticated cyberattack orchestrated by an entity identified as Storm-0558 compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals globally. Associated with espionage activities linked to the People’s Republic of China, Storm-0558 exploited authentication tokens associated with a Microsoft key established in 2016. This intrusion had profound ramifications, affecting senior US government officials.

‍The compromise of these critical keys, essential for ensuring secure access to remote systems, equates to acquiring the crown jewels for any cloud service provider. In this instance, the stolen key granted the adversary unprecedented access, enabling Storm-0558 to infiltrate Exchange Online accounts worldwide and exert control over sensitive information and systems.

Storm-0558 Microsoft breach | Non-Human Identity Security


Breach Timeline

The Board's investigation reveals that the intrusion commenced in May 2023, with known adversaries' techniques addressed by the end of June 2023. Here's a high-level timeline, with a more detailed chronology provided in Appendix B.

May-June 15, 2023: Initial Intrusion, Pre-Discovery Phase

Between May and mid-June, Storm-0558 compromised Microsoft Exchange Online mailboxes of certain victims in the U.S., the U.K., and other locations. However, it's noted that Microsoft's window of compromise might have begun earlier than May 15, as per standard 30-day log retention practices.

June 15-19, 2023: Detection by Department of State

State authorities detected anomalous activity on June 15, informing Microsoft on June 16. With Microsoft's support, State conducted an investigation over the holiday weekend. By June 19, it was confirmed that a threat actor had accessed six State email accounts, including those linked to the Secretary of State's upcoming trip to Beijing.

June 16-26, 2023: Broadening of Investigation; Department of Commerce Identified as Victim

State reached out to Microsoft, CISA, and the FBI. CISA personnel, already present at State, began proactive threat hunting, while the FBI shared details about the threat actor. Microsoft initiated an investigation on June 16, presuming that Storm-0558 gained entry via State's OWA. Subsequently, Microsoft notified victim organizations in the U.K. and identified the Department of Commerce as another victim by June 23.

June 24, 2023: Closing the Attack Vector

Microsoft invalidated the stolen key used by the threat actor on June 24, halting Storm-0558's access to email accounts. Following this action, Microsoft observed Storm-0558 attempting phishing and other methods to regain access to compromised email boxes.

July 4, 2023 and Beyond: Continued Victim Notification and Remediation

Microsoft commenced victim notification during its initial investigation, a process that continued for weeks. Due to the nature of the intrusion, Microsoft was primarily responsible for identifying most victims and collaborated with the U.S. government to provide necessary support

Storm-0558 Microsoft breach


Key takeaways

#1 NHI Management needs to become an integral part of enterprise identity programs. The Microsoft breach is just the latest example in a rapidly growing trend of attacks that exploited unmanaged NHIs. Even technologically advanced and security aware organizations, such as Microsoft, can fall victim of attacks to unmanaged NHIs.

#2 Organizations should adopt practices and tools that keep both operational continuity efforts and security best practices aligned, and not in opposition. In 2021, following a large production outage, Microsoft had stopped their manual key rotation processes, leaving the key that was later compromised, as well as many others, much more vulnerable. Prioritizing operational continuity over security posture is a very common pattern that, in most cases, is caused by lack of contextual visibility which leads to inaction. The complexity and scale of NHIs requires purpose built tools that can automatically discover NHIs, create system dependency maps and identify high risk priorities

#3 Automate, automate, automate. When it comes to NHI management, automation is key because the scale is so vast. Companies can’t disregard the limitations of human driven processes, which are more prone to error and operationally expensive. While adding automating tasks like secret rotation typically requires integrating new tools and capabilities in your stack, the investment is absolutely critical for the long term success of the business. Microsoft's decision to move from manual to automatic key rotation is the right move to make and, had it been implemented sooner, it could have prevented the attack with undeniable business benefits.

#4 Rotation of keys and secrets is only one part of the larger challenge of complete non-human identity lifecycle management. While the latest report highlights several shortcomings, cloud transformation through vendors such as Microsoft still allows organizations to improve agility and, with the right approach, security posture. As environments become increasingly distributed spanning multiple clouds and hundreds of interconnect services, Non-Human Identities grow exponentially in scale. Consequently, security and operations teams need to adopt the right tools that enable effective cooperation across every phase of the lifecycle from provisioning, to rotation and decommission.


Conclusion

‍The revelations from this incident underscore a fundamental truth within today's intricate digital landscape: the management of non-human identities is a complex task that necessitates automation. Microsoft's breach, characterized by a series of preventable errors, starkly emphasizes the vulnerabilities associated with manual approaches to identity management.

‍Non-Human Identities serve as keystones in ensuring secure access to vital systems and resources. However, the sheer volume and intricacy of these identities render manual oversight impractical. Without the implementation of automated solutions, organizations are left susceptible to numerous risks, including unauthorized access, compromised credentials, and systemic vulnerabilities.

Share this content on your favorite social network today!