On Microsoft, Wyden's Bark May Have Some Bite

PLUS: Slamming the Back Door Shut at the FBI

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by GreyNoise.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Photo by Konstantin Evdokimov on Unsplash

Microsoft's lacklustre cloud product security is finally biting it on its ass. In a strongly worded open letter to key US government agency heads, Senator Ron Wyden, a member of the Senate's Intelligence Committee, asked them to investigate what he called "negligent cybersecurity practices" by Microsoft that enabled a recent hack of the company's cloud services by a hostile actor, likely from the PRC.

Wyden's letter requests action on the issue from several different US government agencies, including the Federal Trade Commission (FTC), the Department of Justice and the Cybersecurity and Infrastructure Security Agency (CISA).

He asked the FTC to investigate whether Microsoft's security practices violated a prior consent decree and its regulations, and the Department of Justice to explore whether Microsoft had violated federal contracting laws through negligent security practices.

He also requested CISA Director Jen Easterly direct the Cyber Safety Review Board (CSRB) to examine the incident:

In particular, the Board should examine whether Microsoft stored the stolen encryption key in an HSM, a best practice recommended by the National Security Agency and even by Microsoft, and if not, examine why Microsoft failed to follow its own security advice. The Board should also examine why Microsoft’s negligence was not discovered during the external audits that were required to obtain certification for government use under the FedRAMP program, or during Microsoft’s own internal security reviews.

In the hack in question, the actor breached Microsoft services to gain access to US government email systems, including those of the State and Commerce departments. Microsoft calls the actor responsible 'Storm-0558'.

Wyden says in his letter "even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident" and cites several pieces of evidence to back up his claim.

First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications. Second, as Microsoft pointed out after the SolarWinds incident, high-value encryption keys should be stored in an HSM [Hardware Security Module], whose sole function is to prevent the theft of encryption keys. But Microsoft's admission that they have now moved consumer encryption keys to a “hardened key store used for our enterprise systems” raises serious questions about whether Microsoft followed its own security advice and stored such keys in an HSM. Third, the encryption key used in this latest hack was created by Microsoft in 2016, and it expired in 2021. Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised. And authentication tokens signed by an expired key should never have been accepted as valid. Finally, while Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits. That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.

Most damning about the incident, in our view, was that Microsoft's architecture had several vulnerabilities that meant Storm-0558 somehow acquired a key notionally designed to protect consumer services only, and then used that key to gain access to targeted government email accounts. To add insult to injury, the key had technically expired when Storm-0558 used it.

We believe a series of compounding errors like this is symptomatic of a broader problem at Microsoft. We have written previously about what we see as a lukewarm approach to security at the vendor. When communicating about security issues that have the potential to make it look bad, Microsoft regularly chooses to downplay issues rather than being completely clear with customers about their impact.

Microsoft has already made a number of changes that should (in theory!) prevent the vulnerabilities exploited by Storm-0558 being used again in other hacks. These measures include revoking all signing keys valid at the time of the incident, and blocking use of the specific key used by Storm-0558.

So a CSRB review might not result in many new specific technical recommendations.

From this narrow perspective, there wouldn’t be that much to be gained from this kind of review.

We don't think, however, that Microsoft's failings fundamentally revolve around whether it actually used an HSM or how well audits were done. These are symptoms rather than root causes. The real problem is that Microsoft isn't prioritising security as much as it should.

So we think there is tremendous value in the process of a heavyweight CSRB review. While the CSRB conducts reviews rather than investigations and doesn’t have subpoena power, its status means Microsoft would be foolish not to cooperate fully. Such a review would hold the company's feet to the fire and force it to reevaluate the extent to which it prioritises security.

At this point, the ball is in Microsoft's court. Will it preempt any investigation by turning over a new leaf? Or can we expect more of the same?

Slamming the Back Door Shut at the FBI

A US Presidential board reviewing Section 702 intelligence collection has recommended that Congress renew the authority but also that the FBI's access be limited to foreign intelligence purposes only.

This makes sense, and echoes our thoughts on the subject, since the FBI has been particularly cavalier in its querying of 702 data. Section 702 of the Foreign Intelligence Surveillance Act allows US intelligence agencies to compel service providers to help conduct targeted surveillance of foreigners outside the US. It's controversial because even though collection targets foreigners, it takes place on US soil and 'US persons' (citizens and lawful residents) occasionally get swept up into the database (known as incidental collection).

Another recommendation we like is one the board makes to inform the public about what the 702 program is used for:

Enhance transparency by declassifying, to the greatest extent possible, the certifications specifying the categories of authorised collection under Section 702.  This would increase the public’s awareness of 21st century national security risks, the vital contributions of signals intelligence for understanding and countering those risks, and the safeguards that protect privacy and civil liberties.

Other recommendations aim to improve processes and oversight, especially for queries regarding US persons.

The report doesn't recommend that US person queries require a warrant or court order. In the first place, it argues that the data is collected lawfully and these queries are only permitted when they will likely return foreign intelligence information. Furthermore, the queries are used as a "preliminary exploratory tool… to determine whether there is either a threat to a US person or the nefarious involvement of a US person".

The report provides a number of examples where US person queries allowed the FBI to respond to foreign threats. In one cyber-related example, queries related to US network infrastructure indicated a potential compromise because of the high volume of data communications with a foreign state cyber actor. The FBI was able to inform the network operator so they could take action against the intrusion.

In a counter-intelligence example, the report says that US person queries are "critical" to the FBI's efforts against foreign intelligence officers trying to recruit Americans as assets. These queries help confirm contact and determine whether the US person is an unwitting contact or already acting as an agent.

US person queries enable the FBI to "quickly identify who might be unwitting in their communication with a Chinese intelligence officer and in need of a defensive briefing, versus those who might be all the way through the recruitment cycle and already working as an asset for a foreign intelligence service inside the United States," the report says.

In both examples, there was no probable cause to suspect the network operator or individual was acting as the agent of a foreign power, so a requirement to obtain a warrant would have prevented any FBI response.

Our overall impression is that the board takes this all very seriously and is striking a reasonable balance. In one paragraph, for example, it admitted "misgivings" because of the government's inability to estimate the amount of incidental US person collection that occurs under Section 702. It'd like NSA to have a crack at estimating it, but:

We believe that because any effort to do so would involve manually scrutinising each e-mail address within the data set, the process of counting such collection itself would unduly violate the privacy and civil liberties of US persons.

We are not sure that the focus on incidental collection in Section 702 is all that important. US persons are everywhere, and incidental collection occurs under an array of programs worldwide. What's more important is that protections for US citizens are robust no matter what the collection source.

Three Reasons to be Cheerful this Week:

  1. Azure continuous location evaluation: Microsoft has launched 'Continuous Access Evaluation' a new feature that will block clients in near real-time if they appear to be accessing resources from outside approved IP address ranges. Previously, clients were reassessed at regular time intervals and attackers that had stolen access tokens could take advantage of the grace period before these tokens needed to be refreshed.
  2. Google reports more bug collisions: In its review of 0days exploited in the wild in 2022, Google's Threat Analysis Group (TAG) finds there is an increasing trend towards "bug collisions", where more than one security researcher finds the same vulnerability. TAG thinks this is probably "a win for defence" and it reports that security researcher reports often help fix 0days that attackers are already using. The whole report is interesting and worth a read.
  3. New supply chain analysis tools: The Rust foundation publicly released Painter, a tool for analysing Rust project supply chains. Oracle also recently released Macaron, a analysis tool that checks whether a software is built as expected

In this Risky Business News sponsor interview, Catalin Cimpanu talks with GreyNoise founder and CEO Andrew Morris about the company's vast network of honeypots and how they're preparing to take it to the next phase.


New York Times Amps Up Typhoon's Voltage

The New York Times reports the US government is searching for Chinese hackers that are positioning themselves to be able to disrupt US military operations in the event of a conflict.

The activity appears to be connected to a Chinese campaign that Microsoft revealed in May by an actor it calls 'Volt Typhoon'. At the time the company thought with "moderate confidence" that Volt Typhoon's campaign was "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises".

The New York Times article itself is light on details, but Chief Analyst at Mandiant John Hultquist tweeted that "We found this actor in land, air, and sea transportation targets which could be leveraged for a serious disruption to logistics".

Is the PRC positioning itself for destructive cyber operations just in case? Or is it getting ready for a planned action in the Taiwan Strait? It looks like its preparations are bigger than we thought, but we still don't know what it is preparing for.

Former Russian Cyber Security Executive Jailed In Russia

Ilya Sackhov, Russian cyber security executive has been sentenced to a 14-year prison sentence for treason. Sackhov was the former CEO of Group-IB, a Russian cyber security firm that has since relocated its headquarters to Singapore. Details of the case have never been made public by Russian authorities, although media reports claim Sackhov provided the US with information about Russian operations that tried to influence the 2016 US Presidential election. Krebs On Security has further reporting.

In the End, Russia Won in Kazakhstan

Nikita Kislitsin, another former Group-IB employee will not be extradited to the US from Kazakhstan. Kislitsin was detained in Kazakhstan at the behest of US authorities who allege he was involved in the theft and sale of data from former social media site Formspring. Predictably, the Russian government responded by also trying to extradite Kislitsin.

These tug-of-war battles regularly occur when Russian cyber criminals are arrested outside of and potentially face extradition to the US. We explored Russian government motivations in these diplomatic contests and found that it was probably about thwarting the US rather than protecting Russian state secrets. But it looks like Russia will win this round.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the rights and wrongs of intellectual property theft.

From Risky Biz News:

SEC adopts new cybersecurity rules; adopts 4-day disclosures: The US Securities and Exchange Commission has passed a new set of cybersecurity rules for publicly traded companies.

The new rules would require companies to disclose any cybersecurity incident to the SEC within four days after a company has deemed the incident grave to be "material". In the context of the SEC, material refers to events that impact a company's operations, finances,

The new disclosure timeline also controversially doesn't start at the time of the breach itself but when a company's lawyers decide to categorize the incident as "material"—which, as WaPo reporter Joseph Menn points out, leaves somewhat of a loophole in prolonging breach disclosures for some incidents.

[more on Risky Business News]

Russia cracks down on foreign web hosting and email providers: The Russian government passed last week a series of laws aimed at cracking down on the use of foreign IT services inside Russia and driving citizens to Russian alternatives where it can easily exert pressure through its state apparatus.

Law amendments have been passed to limit the use of foreign web hosting providers, foreign email services, and foreign news aggregators.

In addition, the government also passed a generic law banning Russian citizens from participating in the activities of foreign non-profit organizations, which theoretically criminalizes participation in foreign open-source projects.

[more on Risky Business News]

Cloudzy: Security firm Halcyon says that cloud hosting provider Cloudzy is secretly operating as a provider of server infrastructure for APT groups, ransomware gangs, and spyware vendors. The company says it identified more than two dozen different threat actors hosting command-and-control (C&C) servers on Cloudzy infrastructure. APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments have repeatedly hosted C&C servers on Cloudzy for years. Halcyon says that while Cloudzy is incorporated in the US, the hosting company is "almost certainly" operated out of Tehran, in violation of US sanctions on Iran.