Microsoft Updates Investigation from Storm-0558 Key Theft

Category: Threat Actor Activity | Industry: Technology | Source: Microsoft

Microsoft has concluded its investigation into a breach affecting around 25 Outlook accounts, which began as early as May 15th, 2023 attributed to a China-based threat actor named Storm-0558. The incident was traced back to the compromise of a Microsoft engineer's corporate account and the accessibility of a Windows crash dump via the engineer's account. Microsoft reports their "investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected)."

The consumer signing system crash in April 2021 led to the unintended exposure of the key in a crash dump. This dump, initially believed to be safe, was later moved to a corporate debugging environment. "After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key." Specific evidence of the attacker exfiltrating data was not available due to limitations in log retention. Microsoft has taken corrective actions to address these issues and enhance security protocols.