Rui Carlos Posted September 10, 2023 at 11:12 AM Report Share #631796 Posted September 10, 2023 at 11:12 AM Em Maio o grupo Storm-0558 consegui aceder ao e-mail de cerca de 25 organizações, incluindo agências governamentais dos EUA, através de tokens de autenticação forjados. Os tokens terão sido gerados através de uma chave privada que os atacantes terão conseguido obter. A Microsoft veio agora explicar como acha que os atacantes conseguiram obter a chave privada. A teoria é que a chave privada foi incluída num crash dump, e desta forma acabou a ser transferida do ambiente de produção para o ambiente de debugging. Adicionalmente, outros problemas de validação dos tokens permitiram que os mesmos fossem usados para aceder a contas que não era suposto. Duas coisas particularmente preocupantes: Aparentemente chaves privadas críticas não eram mantidas em hardware security modules (HSM). Crash dumps podem conter dados sensíveis, e devem fazer qualquer pessoa pensar duas vezes antes de enviar um relatório de erros de algo que falhou no nosso PC para terceiros (sejam eles a Microsoft, Apple, e qualquer outro). Mais detalhes: https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/ Citação On July 11, 2023, Microsoft published a blog post which details how the China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com. Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our technical investigation has concluded. As part of our commitment to transparency and trust, we are releasing our investigation findings. [...] Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected). We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected). After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key. [...] 1 Report Rui Carlos Gonçalves Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now