US Senator seeks federal action over Microsoft Azure breac…[ad_1]
He made the request in a letter sent to Jen Easterly, director of CISA; Lina Khan, chair of the FTC; and Merrick Garland, US attorney-general.
Wyden, a Democrat from Oregon, was referring to a recent breach of Microsoft's Azure platform. The email account of US Commerce Secretary Gina Raimondo was one of the more prominent accounts to have been breached during the attack which was blamed on Chinese attackers whom Microsoft has named Storm-0588.
The attackers gained access through a vulnerability in Azure discovered last month by the State Department, according to anonymous officials quoted in the Washington Post.
Wyden wrote: "Since the hackers stole an MSA encryption key, the hackers could create fake authentication tokens to impersonate users and gain access to Microsoft-hosted consumer accounts, even if a user’s account was protected with multi-factor authentication and a strong password.
"Government emails were stolen because Microsoft committed another error. Although the stolen encryption key was for consumer accounts, 'a validation error in Microsoft code' allowed the hackers to also create fake tokens for Microsoft-hosted accounts for government agencies and other organisations, and thereby access those accounts."
Seasoned security professional Juan Andres Guerrero-Saade, senior director of SentinelLabs, the research wing of security firm SentinelOne, has described the way Microsoft reacted to the breach as "enraging, duplicitous, disappointing, counter-productive and, most importantly, unnecessary".
Wyden said this incident was not the first when a foreign government had breached US Government emails by stealing encryption keys and forging Microsoft credentials.
"The Russian hackers behind the 2020 SolarWinds hacking campaign used a similar technique, with a noteworthy difference," he pointed out. "There, the targets were organisations that ran Microsoft’s identity management software on their own servers, rather than relying on Microsoft’s cloud service for user authentication, Azure Active Directory.
"That Microsoft software defaulted to not warning administrators when their organisations’ digital identity encryption keys were removed — even though removal is a rare event, strongly indicative of suspicious activity.
"Moreover, while Microsoft had known since 2017 that such keys could be quietly exfiltrated from customer servers running its software, it failed to warn its customers, including government agencies, about this risk."
Wyden, who showed a good grasp of the technicalities involved in the breach, said Microsoft had never taken responsibility for the SolarWinds attacks.
"It blamed federal agencies for not pushing it to prioritise defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017," he claimed.
"It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault, known as a Hardware Security Module."
Despite only limited details having been made public so far — Microsoft has issued three blog posts about the Azure breach, all of which have been criticised as being incomplete and misleading — Wyden said Microsoft bore significant responsibility for the Azure breach.
"First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications," he said. "Second, as Microsoft pointed out after the SolarWinds incident, high-value encryption keys should be stored in an HSM, whose sole function is to prevent the theft of encryption keys.
"But Microsoft's admission that they have now moved consumer encryption keys to a 'hardened key store used for our enterprise systems' raises serious questions about whether Microsoft followed its own security advice and stored such keys in an HSM.
"Third, the encryption key used in this latest hack was created by Microsoft in 2016, and it expired in 2021. Federal cyber-security guidelines, industry best practices, and Microsoft’s own recommendations to customers dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised. And authentication tokens signed by an expired key should never have been accepted as valid.
"Finally, while Microsoft’s engineers should never have deployed systems that violated such basic cyber-security principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits. That these flaws were not detected raises questions about what other serious cyber-security defects these auditors also missed."
Wyden said the US administration also had to take some of the blame the Cyber Safety Review Board had never looked at the SolarWinds incident, instead examining another incident at the insistence of the Homeland Security Department.
Said Wyden: "I have repeatedly pushed CISA and DHS to direct the CSRB to study the SolarWinds incident, but have been rebuffed. Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted."
He urged Khan and Easterly to push the CSRB to investigate the SolarWinds attack. "In particular, the CSRB should examine whether Microsoft stored the stolen encryption key in an HSM, a best practice recommended by the National Security Agency and even by Microsoft, and if not, examine why Microsoft failed to follow its own security advice," he added.
"The CSRB should also examine why Microsoft’s negligence was not discovered during the external audits that were required to obtain certification for government use under the FedRAMP program, or during Microsoft’s own internal security reviews."
Wyden also asked Khan to "investigate Microsoft’s privacy and data security practices related to this incident to determine if Microsoft violated federal laws enforced by the FTC, including those prohibiting unfair and deceptive business practices".
He also urged Garland to examine whether Microsoft's negligence constituted a violation of federal law.
Tags: Don Lichterman, IT Industry, SCA Sunset, Sunset Host Co