Microsoft revealed that Storm-0558 threat actors stole a consumer signing key from its corporate network, but many questions about the breach and subsequent attacks remain.
Microsoft finally revealed new details about how a private consumer signing key that led to the Storm-0558 attacks in July was stolen, but many major questions remain unanswered.
The tech giant last week published a blog post sharing the results of its technical investigation into how Storm-0558 -- a China-based threat actor that hacked 25 organizations, including U.S. government agencies in its campaign -- acquired the Microsoft account (MSA) consumer signing key that led to the attacks. Storm-0558 had used the stolen key to forge authentication tokens for Outlook Web Access and Outlook.com, and until now, Microsoft had not disclosed how the key was obtained in the first place.
In the post, Microsoft said it determined a consumer signing system crash in April 2021 resulted in a snapshot of the crashed process. The MSA key was mistakenly included in the crash dump because of a a race condition issue, which Microsoft said has since been corrected.
Storm-0558 likely obtained the key, Microsoft said, when threat actors compromised a Microsoft engineer's corporate account sometime after April 2021. The engineer's account "had access to the debugging environment containing the crash dump which incorrectly contained the key."
Although the tech giant claimed its technical investigation had concluded, the Microsoft Security Response Center post did not include several important details. Cloud security vendor Wiz raised several such questions in a blog published Sept. 7. Amitai Cohen, attack vector intel lead at Wiz, mentioned several unanswered issues, chief among them being: When was the engineer's account compromised, and what was the earliest point in time when Storm-0558 actors could have obtained the MSA key?
On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the latest developments surrounding the Storm-0558 attacks and Microsoft's response to them.
Subscribe to Risk & Repeat on Apple Podcasts.
Alexander Culafi is a writer, journalist and podcaster based in Boston.