Microsoft's Security Culture Just Isn't up to Scratch

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by Red Canary.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

Last week, Microsoft released its latest report into how its services were compromised by a China-based actor it called Storm-0558. It's an eye opening document that raises some red flags about Microsoft's security culture.

To summarise the incident briefly, Storm-0558 used a Microsoft Account (MSA) signing key to gain access to the email accounts of individuals in businesses and in government departments including the US Department of State and the US Department of Commerce. For several reasons this hack should not have worked, yet Storm-0558 was able to take advantage of multiple flaws in Microsoft processes to achieve its objectives.

From the perspective of someone who has worked in high-security environments, some of these flaws are absolutely bewildering.

They raise serious concerns about the way Microsoft approaches security.

For example, in this incident an MSA consumer key was able to access enterprise accounts. This is explained in Microsoft's report:

To meet growing customer demand to support applications which work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018. As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation – which key to use for enterprise accounts, and which to use for consumer accounts.  

As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected). The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation. Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries).

Microsoft combined two systems that had been logically separated, but apparently it never occurred to anyone involved in the process that in doing so, they should update the software libraries to enforce access boundaries. In a security-conscious organisation this change in architecture would be identified as a potential security risk very early in the process and mitigations developed, implemented, and tested.

As it was… it appears that everyone thought enforcing security boundaries was someone else's job and so nothing happened.

Additionally, the purloined key notionally expired in April 2021 but was successfully used by Storm-0558 in 2023. Microsoft systems weren't enforcing key expiration dates because… why? No one thought to confirm that keys expired in practice?

My former colleague at ASD, Vaughan Shanks, CEO of Cydarm and a computer scientist who has worked at both ASD and NSA, described these lapses as "flabbergasting".

Shanks also pointed to Microsoft's handling of crash dumps in this incident as an indicator of a lax security culture.

In this compromise, Microsoft believes the key in question was stolen when a consumer signing system crashed in April 2021. Following Microsoft's "standard debugging process" this crash dump was transferred from the company's hardened production environment to the company's debugging system on its corporate network.

Sometime after April 2021, Storm-0558 compromised a Microsoft engineer’s corporate account with access to the debugging environment. Microsoft thinks the "most probable" way Storm-0558 obtained the key is by grabbing this crash dump, although the company doesn't have logs with specific evidence of the data being taken because of its log deletion policy.

Microsoft had several independent measures in place that should have prevented the key from ending up on its corporate network. These measures — redacting keys from crash dumps and subsequently scanning for key material and credentials at different points in processing — all failed. Microsoft says that all these technical issues have been fixed, but the broader problem here is that Microsoft prioritised convenience over security.

That may be OK for some Microsoft systems, but when dealing with the keys to the kingdom why take risks that will not just bite you, but take a huge chunk out of your ass if they are realised?

"If you are dealing with the fundamental root of trust", Shanks says, "you should probably accept that you need to work in a windowless basement without internet access".

This isn't an isolated security gaffe and this newsletter has consistently lamented Microsoft's approach to security. The mistakes we've highlighted above — not ensuring scope is respected when systems are combined and treating crash dumps potentially containing signing keys with standard processes — aren't bizarre edge cases that could catch any organisation by surprise. These are decision-making failures that simply wouldn't happen in an organisation that actually cared about security. This breach didn't happen because of a series of amazing coincidences, it happened because Microsoft's security culture is not up to scratch.

UK Government Works Hand in Hand With... Itself

The UK's Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC) have signed a Memorandum of Understanding (MOU) that will get the two organisations working together to improve cyber security standards.

Ultimately both organisations share broadly similar strategic goals–to protect the public and make the UK safer from cyber crime and data breaches. However, some functions and responsibilities the organisations have could discourage firms from engaging with them. For example, where the NCSC might help a firm with incident response, the ICO could potentially fine it for poor cyber security practice.

The MOU is a formal attempt to maximise cooperation between the two bodies while minimising the fear that the NCSC might rat out an organisation to the ICO. The ICO's release directly addresses that particular fear, saying the MOU "reaffirms that the NCSC will never pass information shared with it in confidence by an organisation to the ICO".

For its part, the ICO says it will encourage organisations to engage with the NCSC. In a sentence that would never be written outside government, the ICO says it "commits to exploring how it can transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties". Translated from weasel words to English, this is (may be?) a promise to consider reducing fines for organisations that work with the NCSC.

In May this year the NCSC and ICO issued a coordinated call for company transparency regarding cyber attacks, especially involving ransomware. They said they were "increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones".

We don't think the MOU will actually change all that much about how the two organisations operate, but it gives them both a formal document they can point to to reassure victims that might otherwise hesitate to get in touch.

DoD Cyber Strategy To Make Friends and Influence People

The US Department of Defense (DoD) has released the unclassified summary of its 2023 cyber strategy and although it is pretty much what you'd expect, there are parts of the strategy we like. For example, the DoD does not think that cyber operations in isolation are all that useful. From the introduction:

The Department's experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own. Instead, these military capabilities are most effective when used in concert with other instruments of national power, creating a deterrent greater than the sum of its parts.

Happily, the department's goal to "disrupt and degrade malicious cyber actors" is framed quite broadly and includes "degrading [malicious actors’] supporting ecosystems". The DoD appears to be taking a supporting role here and the document speaks of "complement[ing] concurrent actions by the diplomatic, law enforcement, and intelligence communities, among others".

Another aspect of the strategy we like is that it describes allies and partners as a "force multiplier" and "a foundational strategic advantage for the United States". The strategy specifically mentions ‘hunt forward’ operations and technical collaboration with partners that can "illuminate malicious cyber activity on their networks".

There is an opportunity here to win friends and influence non-aligned countries by exposing malicious activity coming from countries such as the PRC and Russia. It's one thing for a government to generally understand that cyber espionage goes on, it's another thing to know for sure that the PRC or Russia is actively hacking it.

Three Reasons to be Cheerful this Week:

1. Free vulnerability scanning for US water utilities: The Cybersecurity and Infrastructure Security Agency (CISA) has announced it is opening up its Vulnerability Scanning (VS) service to US water and wastewater utilities. More coverage at Risky Business News.
2. Real-time safe browsing for Chrome: Google is extending its Safe Browsing malicious link and file warning system to provide real-time protection for all Chrome users. Until now, Chrome had updated its list of malicious sites every 30 to 60 minutes, but Google says that nowadays 60% of phishing sites exist for less than 10 minutes. The firm says the new default won't share your browsing history with Google.
3. US and UK sanction 11 Trickbot members: The US and UK governments have imposed sanctions on and revealed the real-world identities of 11 members of the Trickbot cybercrime operation. The new sanctions come after both governments doxxed and sanctioned seven members earlier this year in February. Risky Business News has additional coverage.

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Red Canary Principal Readiness Engineer Gerry Johansen about the need to prepare IR plans in advance and why that’s just as important as the IR playbook itself.

Shorts

Cyber War Crimes are Just War Crimes

The International Criminal Court's (ICC) Prosecutor, Karim A. A. Khan, has penned a pretty sensible article essentially saying that cyber operations are just another tool that can be used to commit war crimes. Therefore, these operations need to comply with International Humanitarian Law (i.e. the Rules of War) and be targeted, proportionate and necessary. This is consistent with our view that "cyber war crimes are not a thing".

0Khan also notes that the ICC needs to improve its own security practices to defend because "disinformation, destruction, the alteration of data, and the leaking of confidential information may obstruct the administration of justice at the ICC".

Russian Cyber Criminals Land In Turkey

The Financial Times reports that some Russian cybercriminals have moved to Turkey fearing that they would be conscripted into the war effort in Ukraine if they remained in Russia.

In theory perhaps, a hacker's location shouldn't matter, but a Turkish police official told the Financial Times that the criminals avoid targeting Turks to avoid attracting the attention of local authorities. A local information security specialist told the Financial Times "Russian hackers taught their Turkish counterparts sophisticated code to collate the vast amounts of data being harvested, while the Turkish criminals leveraged their contacts in western Europe, especially Germany, to secure better prices for efficiently organised data sets".

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at how AI can turbocharge cyber scams.

From Risky Biz News:

Microsoft to phase out 3rd-party printer drivers for security reasons: Microsoft will phase out the use of third-party printer drivers in Windows in favor of a new and more secure interface.

"In the near future, Windows will default to a new print mode that disables 3rd party drivers for printing," said Microsoft security engineer Johnathan Norman.

"That new system will have quite a few big security improvements, which we plan to detail in a future blog post."

[more on Risky Business News]

US and UK dox and sanction 11 more Trickbot/Conti members. Charges included too: The US and UK governments have revealed the real-world identities and imposed sanctions on 11 additional members of the Trickbot/Conti cybercrime operation. The new sanctions come after both governments doxed and sanctioned seven members earlier this year in February.

All 18 sanctioned individuals are Russian nationals, and both US and UK officials said some of the group's key members "highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking," which explains why the Conti crew was one of the first cybercrime groups to come out and support Russia's invasion of Ukraine.

[more on Risky Business News, including a summary of the sanctioned individuals and their roles in the cybercrime groups]

Myanmar fraud crackdown: China's Ministry of Public Security (MPS) says it received 1,207 suspects from Myanmar law enforcement. The suspects were detained last week as part of a coordinated large-scale crackdown against scam call centres in Myanmar's northern regions. The suspects are accused of scamming Chinese citizens in telecom fraud and extortion schemes. A Chinese police report claimed that 95% of the Chinese nationals working in northern Myanmar call centres had gone there "voluntarily" after failing to find employment in China. Previous reporting on the topic and a UN report say the opposite, claiming that many are trafficked and forced to work in the call centres against their will.

Note: It's a complicated issue. The UN report also says:

In some cases, individuals may have understood that they were being recruited to conduct online fraud but were deceived as to the conditions — for example they were not aware that they would be detained in the compounds, under- or unpaid, subject to beatings and other forms of violence, or forced to pay a ransom in order to leave.