The U.S. Department of Homeland Security’s Cyber Safety Review Board said Microsoft’s security culture is “inadequate and requires an overhaul” in a report published Tuesday.
The Cyber Safety Review Board (CSRB) initiated an investigation following a high-profile cyberattack Microsoft disclosed in July of last year in which a Chinese nation-state threat actor tracked as Storm-0558 breached email accounts at 22 organizations, which included some federal agencies. The threat actors accessed the email accounts using Outlook Web Access (OWA) in Exchange Online and Outlook.com by forging authentication tokens via a stolen Microsoft account (MSA) signing key.
In a CISA advisory published at the time, the U.S. cyber agency said a Federal Civilian Executive Branch agency detected suspicious activity in its Microsoft 365 environment sometime the previous month; the breach was only detected because government 365 licenses include enhanced cloud logging features that were at the time only available at the highest and most expensive subscription level. Microsoft addressed the latter issue in September and made premium logging features more widely available.
The CSRB report, dated March 20 and publicly released Tuesday evening, was conducted in order to learn more about the incident and why it occurred. The primary finding of the CSRB was that “this intrusion should never have happened.”
“Storm-0558 was able to succeed because of a cascade of security failures at Microsoft, as outlined in this report,” CSRB chair Robert Silvers and deputy chair Dmitri Alperovitch wrote in the report’s introduction. “Today, the Board issues recommendations to Microsoft to ensure this critical company, which sits at the center of the technology ecosystem, is prioritizing security for the benefit of its more than one billion customers.”
As part of its conclusion, the board determined that “Microsoft’s security culture was inadequate and requires an overhaul.” This is based on, the CSRB argues, Microsoft’s “failure to detect the compromise of its cryptographic crown jewels” and instead relying instead on a customer – in this case, the U.S. State Department – to inform the company of Storm-0558’s activity.
The CSRB also based its conclusions on Microsoft’s lack of security controls that other cloud providers have; the Russian nation-state attack that Microsoft suffered in January; and Microsoft’s responsibility given its ubiquitous and critical line of products.
One of the most significant aspects the CSRB’s findings was that according to the report, Microsoft still does not know how or when the MSA signing key was stolen. Furthermore, the board criticized company for making inaccurate public statements about the attack and how the key was stolen.
Microsoft claimed in a September blog post that the MSA key was incorrectly included in a crash dump of consumer signing system inside the company network; the blog post said Storm-0558 actors obtained a Microsoft engineer’s credentials and used the account to access a debugging environment that contained the key. However, the CSRB investigation found “Microsoft has no evidence or logs showing the stolen key’s presence in or exfiltration from a crash dump.” Microsoft’s blog post, however, was not updated until March 12.
“Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction,” the report read.
Although some details in the report are new, many of the criticisms of Microsoft’s…
This article was originally published by a www.techtarget.com . Read the Original article here. .