Microsoft’s Crash Dump Results in Major Security Breach

According to a report by The Hacker News, Microsoft has revealed that a China-based threat actor known as Storm-0558 acquired an inactive consumer signing key to forge tokens and access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained information pertaining to a crash of the consumer signing system and steal the key ¹.

The Breach

The system crash took place in April 2021. The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by Microsoft’s systems. The Windows maker said the crash dump was moved to a debugging environment on the internet-connected corporate network, from where Storm-0558 is suspected to have acquired the key after infiltrating the engineer’s corporate account ¹.

It’s not currently known if this is the exact mechanism that was adopted by the threat actor since Microsoft noted it does not have logs that offer concrete proof of the exfiltration due to its log retention policies ¹.

In summary, Microsoft has revealed how a China-based threat actor acquired an inactive consumer signing key to forge tokens and access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained information pertaining to a crash of the consumer signing system and steal the key ¹.

Solutions

Microsoft 365 is a widely used cloud-based service that provides a range of applications and services to its users. As with any cloud-based service, it is important to take steps to protect your Microsoft 365 account from hackers. Here are some tips to help you secure your Microsoft 365 account:

1. Enable multi-factor authentication (MFA): MFA adds an extra layer of security to your account by requiring a second form of authentication in addition to your password. This can be in the form of a text message, phone call, or mobile app notification.
2. Use strong passwords: Use a unique and complex password for your Microsoft 365 account. Avoid using the same password across multiple accounts.
3. Keep your software up-to-date: Ensure that all software on your device is up-to-date, including your operating system and web browser.
4. Be cautious of phishing scams: Be wary of emails or messages that ask you to provide personal information or click on a link. Always verify the sender’s email address and avoid clicking on links from unknown sources.
5. Limit access to your account: Only grant access to your Microsoft 365 account to trusted individuals who need it.
6. Monitor your account activity: Regularly check your account activity for any suspicious logins or activity.
7. Use Microsoft’s built-in security features: Microsoft 365 offers several built-in security features such as Azure Active Directory (Azure AD) and Microsoft Defender for Office 365 that can help protect your account from cyber threats
8. Ask us about our partnership with Huntress EDR/MDR solutions. Here is a guide to our EDR relationship with Huntress. The Ultimate Guide to Huntress EDR and Veroot Partnership for IT Providers.