The recent cyber-attack on Microsoft cloud solutions is a BIG PROBLEM and changes the game. The hacker’s method wasn’t the typical exploit of a newly discovered vulnerability or the tricking of a user into making a mistake. Where most attacks are akin to a theft breaking into your house by looking for the easy way in, maybe through an unlocked window or breaking an old lock, this attack was more akin to the theft getting a copy of the keys from your locksmith. In this case, Microsoft lost what can be considered a Master-Key, which could be used to access Microsoft’s personal cloud, which sounds bad, but it gets much worse. Not only was this key somehow obtained by a Chinese hacking group, giving them what could be a key to everyone’s door, they also found an exploit that let them use this key on not only personal accounts, but also business AND government emails. With this, they simply walked right in, initially unnoticed. This new level of risk should make us all step back and rethink how we define and manage risk.
You may be thinking to yourself, “I know Cybersecurity isn’t a perfect defense: I’ve listened to the professionals, have the right protection, utilize a modern Cybersecurity Framework, and have recovery plans designed for the worst, right?” Unfortunately, this recent event is a wake-up call that many are not calculating what the worst can be; the worst is no longer just recovering from a bad event that costs a small ransom, halts production, or partial data loss. Imagine the consequences of a law firm in the middle of a lengthy M&A deal having its terms sold to a competitor, a software developer’s core source code being cloned, an aerospace company having its military designs given to foes, or the highest level of government agencies having their emails monitored by foreign governments. These are the scenarios that demand our consideration.
As for the technical pieces, I’m not going into the details but focusing on the fact that this type of impossible issue happened. For those looking to see the technical nuts and bolts, there are some good articles out there, such as the one Wiz.io Microsoft Key Breach Investigation, that explain how the key was used to breach emails. What’s relevant to the risk discussion is that Microsoft lost one of the fundamental security keys and this unthinkable scenario happened. Whether it was an inside job or a targeted hack is yet to be determined. Regardless of the how, this incredibly sensitive key made it to a Chinese hacking group identified as Storm-0558. To make matters worse, this key was only supposed to make access tokens for personal consumer accounts. The thieves realized, likely unexpectedly, that the key was far more powerful and could create tokens for business and government accounts as well. This second error was likely a human coding mistake at Microsoft long ago, exacerbating our overall concerns of information security. Microsoft’s direct response to how they were able to jump so far up the food chain: “This was made possible by a validation error in Microsoft code.” These unlimited tokens were used to access emails belonging to certain targeted Taiwanese companies, as well as US assets, including companies and government emails. Upon further analysis, this key could have been used to access the bulk of Microsoft’s cloud applications from Teams through SharePoint and more.
According to Microsoft, only 25 worldwide organizations were accessed. After learning about the access, Microsoft promptly invalidated the lost key, which minimized the impact, but much damage was done – the State Department emails were accessed by China. At that point, the hackers had been in the systems for what looked like weeks.
Microsoft thinks this is a big deal, in response they are giving advanced logging tools that previously required premium licensing and brought in significant revenue. This is a serious response. This new data will be available at some point in September and rest assured will spawn new protective technologies from vendors. AI will play an important part in helping threat hunters process this newly available data more effectively. Even at this point, it’s currently unclear how much protection can be had if another valid key finds its way out of Microsoft’s hands.
So, what does this mean for the cloud? Can I no longer trust the cloud? Admittedly, this is a blemish on cloud computing. I can hear the die-hard cloud naysayers saying: “See, I told you, cloud computing is safe.” In this case, they may have a point, but overall, the cloud has proven to be more secure than onsite solutions. Hopefully, no one is going out and converting cloud email back to new Exchange servers they host in their organizations. Cloud computing clearly has its benefits and generally has far less risk than on-premise solutions.
The takeaway is that this event requires us all to look at risk management differently. What if all my data were simply made public? That’s always been a risk, but what if all this could happen, even with all the appropriate cyber precautions in place and no one at your company making a mistake? This recent event has moved the needle to a very uncomfortable place. We wish we didn’t have to confront it, but that’s not an option, even if we’re not mentally prepared for it yet.