Changelog: Microsoft breaks down the Storm-0558 hack
Bradyn Trollip / Unsplash
Welcome to Changelog, published by Synack! README senior editor Nathaniel Mott here to tell you that no, you don’t have to check your calendar, it’s not Sunday. We’ve moved Changelog to Thursday so we can bring you the latest cybersecurity news without disturbing your weekend. Speaking of the latest in cyber: keep an eye out for something new on README next week. More on that in a few days.
The payload
We finally know how Microsoft dropped its keys.
The company published on Sept. 6 its postmortem into the Storm-0558 hack that compromised the email accounts associated with the Department of Commerce, State Department and U.S. lawmakers, among others, earlier this year. Microsoft said the hack relied on a Microsoft account consumer key used "to forge tokens to access OWA and Outlook.com" and then use those tokens to access the targeted email accounts.
"Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process ('crash dump')," Microsoft said. "The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected)."
The company said this crash dump was then moved from "the isolated production network into our debugging environment on the internet connect corporate network" and that its "credential scanning methods did not detect its presence (this issue has been corrected)." Some time after April 2021, a Microsoft engineer's account was compromised, and Storm-0558 used its access to that account to go through the crash dump and find the signing key used to forge the OWA and Outlook.com tokens.
To some this sounds like a happy accident for Storm-0558; to others it sounds like a truly advanced persistent threat exploiting a Rube Goldberg machine to gain access to a desired resource. Either way, the signing key was compromised, and it's still unclear how the group managed to gain access to the Microsoft engineer's account. But kudos to Microsoft for discovering and disclosing how the rest of the attack went down--at least as well as its apparently limited logs allowed it to.
"Due to log retention policies," Microsoft said, "we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key." Maybe it should sign up for the extended logging capabilities it made available to customers after the Storm-0558 hack was disclosed; then it can say that this issue, too, has been corrected.
The week, compiled
Signal, WhatsApp, iMessage and other encrypted messaging apps can stay in the UK.
The Financial Times reported on Sept. 6 that Ofcom, the UK's communications regulator, has decided it "will only require companies to scan their networks when a technology is developed that is capable of doing so." But that's unlikely to happen any time soon because end-to-end encryption (E2EE) is supposed to prevent such scanning.
This is welcome news for anyone in the UK who relies on these messaging services. The Signal Foundation, WhatsApp and Apple had all threatened to pull their respective apps from the UK if the controversial bill passed rather than compromise the security of their services in a misguided attempt to scan for child sexual abuse material.
Adem AY / Unsplash
"WOW. I'm so moved, a bit stunned, and more than anything sincerely grateful to those who came together to ensure sunlight on the dangerous OSB Spy Clause, and to those in the UK gov who synthesized the facts and acted on them," Signal Foundation president Meredith Whittaker said. "I knew we had to fight. I didn't know we'd win."
But that doesn't mean concerns about this bill have abated. Amnesty Tech said that "While we welcome the UK government's decision to postpone measures to implement the 'spy clause', we still urge them to ensure the #OnlineSafetyBill upholds the right to privacy before it is finalised." This isn't the end of the fight for E2EE in the UK.
Also this week:
Sonar: Researchers at Sonar revealed a vulnerability that could have exposed the end-to-end encrypted emails of Proton Mail, Skiff and Tutanota users. The report showed "how an innocent-looking piece of code led to a Cross-Site Scripting issue that made it possible for attackers to steal decrypted emails and impersonate victims," but there's no sign the vuln was exploited, and it's since been patched.
Wired: An Atlantic Council report showed how a 2021 law requiring companies to disclose info about vulnerabilities with the Chinese government is being used by China's state-sponsored hacking groups in their campaigns, with evidence that "foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers."
Truffle: Hackercontent and Truffle Security revealed on Sept. 5 that 4,500 of Alexa's top 1 million websites "publicly exposed their git directory" containing "the entire private source code for a given website" as well as credentials associated with their GitHub, Amazon Web Services, Slack and accounts for other developer platforms.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
WordPad is being chucked in the trash can. Microsoft announced on Sept. 1 that it's deprecating the software, which has been installed on new Windows machines by default since Windows 95, and that it "will be removed in a future release of Windows."
WordPad offers a middle ground between a bare-bones text editor like NotePad and a full-fat word processor like Microsoft Word. Windows users who want to be able to format their documents without paying for Office can simply launch WordPad instead.
At least until Microsoft removes the software from Windows. (The company didn't say when it would evict WordPad; merely that it will happen in a future release of the operating system.) Still, making it from Windows 95 to Windows 11 ain't a bad run.
Oh, and for anyone using WordPad wondering what they're supposed to do when it disappears: Microsoft said it recommends "Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt." Of course.
Local files
TDD: A February ransomware attack on Minneapolis Public Schools that affected more than 105,000 teachers, students and alumni left victims reeling, according to emails obtained by The Daily Dot, which said that people had their bank accounts drained while others "received messages asking for TurboTax codes, Apple ID login requests from other parts of the country, and access requests from Microsoft Authenticator." The report offers a rare glimpse into the extended fallout of these kinds of attacks.
Reuters: China has joined Russia in forbidding government workers from using iPhones, with Reuters reporting that "staff in at least three ministries and government bodies were told not to use iPhones at work," though the outlet noted that "it was not immediately clear how widely the ban was being enforced."
The Record: Germany’s Federal Financial Supervisory Authority said its website was brought down by distributed denial-of-service (DDoS) attacks last weekend, with the site continuing to refuse requests from the U.S. at time of writing. (The Record said that it's available to European visitors, however, which makes sense given the website's intended audience.) It's not clear who's responsible for the attack.
Off-script
It's hard to live anywhere in the U.S. without access to a car. Some cities have functioning public transit, but that's the exception, not the norm. (And it doesn't make any difference to the millions of people who don't live in a city at all.) Americans need cars--and it turns out many of those vehicles spy on their drivers.
Mozilla said on Sept. 6 that cars "are the worst product category we have ever reviewed for privacy" as part of its Privacy Not Included reviews site. Every single one of the 25 brands it reviewed earned its worst score--and it wasn't even close. Turns out car companies can gather all kinds of data about their customers' vehicles, smartphones and, disturbingly, even their "sex life" or "genetic information."
Michael Jin / Unsplash
As long as we're talking about privacy concerns in practically ubiquitous technologies that are all but required to participate in modern society: how about that Chrome update?
You know, the one where Google managed to make "Enhanced Ad Privacy" actually mean that Chrome itself will monitor users' browsing history to come up with a list of topics they might be interested in to enable better ad targeting, which is conveyed by a misleading popup that doesn't actually tell people how to opt out of the feature.
I'd link to the music video for "Every Breath You Take," but I'm worried about what that would tell advertisers about my interests. (Just kidding. I'm using Firefox.)