A federal review board called on Microsoft to prioritize its approach to cloud security and stop passing the burden on customers in the wake of a crisis July 2023 cyber attack which allows Chinese threat actors to hack into Microsoft 365 accounts to spy on the key US government officials.
A report published on April 2 by the Department of Homeland Security’s (DHS) Independent Cybersecurity Review Board, offered an incendiary review of Microsoft’s security culture, placing blame directly on the company and a “cascade of security failures” for the cyber espionage attack from the China-based threat group Storm-0558, which “should never have happened.”
The board – which was investigating the breach to want by President Joe Biden – called on the tech giant to put cybersecurity at the top of its agenda. It should also be given careful consideration to make significant revisions to its cloud security posture, including by prioritizing these changes over functionality and new product development.
“To drive the rapid cultural change needed within Microsoft, the Board believes that Microsoft customers would benefit from the CEO and Board of Directors focusing directly on the company’s security culture and developing and publicly sharing a plan with specific timelines to make fundamental, safety-focused reforms across the company and its full range of products,” officials said in the report.
Put safety before product innovation
As part of its review, the board made a number of recommendations to this end, including that senior management not only develop this plan but also hold leaders at all levels of the company accountable for its implementation.
Microsoft leadership should also consider directing Microsoft’s internal teams to “de-escalate feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made.” , instead evaluating and addressing security before implementing any new functionality, the board concluded.
Given the security dependence of Microsoft’s cloud-based services and infrastructure, the software giant and other CSPs must also take greater overall responsibility for their customers’ security outcomes. One action high on this list is to stop the practice of charging customers for security-related logging, making it “a cornerstone” of cloud offerings instead of an additional service at an additional cost.
Microsoft has already given in and lowered taxes associated with expanded access to registration for all levels of 365 license holders immediately following the breach following complaints that it was effectively imposing a fee tax on deforestation on customers.
This is on Microsoft
The board’s overall conclusion is that the violation, which allowed Storm-0558 to do so, is to blame gain access to email accounts in 25 government agencies in Western Europe and the United States – is exclusively with Microsoft and was directly due to a series of security shortcomings on the company’s part.
As the fallout from the breach intensified in the weeks following its initial detection, Microsoft eventually in September 2023 possessed to a series of errors that led Storm-0558 to use a Microsoft Account (MSA) consumer signing key to spoof Azure AD tokens to access corporate email accounts. MSA consumer keys are typically used to cryptographically access a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.
The company said at the time that a race condition resulted in the signing key being present in a crash dump or snapshot of the crashed system. The key ultimately ended up in the hands of Microsoft’s Internet-connected corporate network debugging team, where the threat actors likely spotted it.
However, government officials kept executives grounded over the company’s failure to detect the compromise of its “crypto crown jewels alone,” as it was a customer – a human rights organization Who did not have access to advanced cloud security logging, which first alerted the company to a potential issue.
Additionally, Microsoft never demonstrated that the key used by the attackers ended up in a crash dump or snapshot, and did not correct statements that this was the root cause “in a timely manner.” In fact, Microsoft didn’t bring the story back about how the key ended up in Storm-0558’s hands until last month, when it changed his blog post and acknowledged that he had never located a crash dump containing the key.
Finally, Microsoft is generally lax compared to other cloud service providers (CSPs) when it comes to cloud security, failing to maintain security controls to a similar standard, the board found. The company must level up immediately as its products, used everywhere, “support essential services that support national security, the foundations of our economy, public health and safety,” which, in turn, requires a Microsoft “demonstrates the highest standards of security, accountability and transparency,” the officials concluded.
Microsoft did not immediately respond to a request for comment from Dark Reading.