Cyber Safety Review Board slams Microsoft security failures – TechTarget

4 minutes, 4 seconds Read

The U.S. Department of Homeland Security’s Cyber Safety Review Board said Microsoft’s security culture is “inadequate and requires an overhaul” in a report published Tuesday.

The Cyber Safety Review Board (CSRB) initiated an investigation following a high-profile cyberattack Microsoft disclosed in July of last year in which a Chinese nation-state threat actor tracked as Storm-0558  breached email accounts at 22 organizations, which included some federal agencies. The threat actors accessed the email accounts using Outlook Web Access (OWA) in Exchange Online and Outlook.com by forging authentication tokens via a stolen Microsoft account (MSA) signing key. 

In a CISA advisory published at the time, the U.S. cyber agency said a Federal Civilian Executive Branch agency detected suspicious activity in its Microsoft 365 environment sometime the previous month; the breach was only detected because government 365 licenses include enhanced cloud logging features that were at the time only available at the highest and most expensive subscription level. Microsoft addressed the latter issue in September and made premium logging features more widely available.

The CSRB report, dated March 20 and publicly released Tuesday evening, was conducted in order to learn more about the incident and why it occurred. The primary finding of the CSRB was that “this intrusion should never have happened.”

“Storm-0558 was able to succeed because of a cascade of security failures at Microsoft, as outlined in this report,” CSRB chair Robert Silvers and deputy chair Dmitri Alperovitch wrote in the report’s introduction. “Today, the Board issues recommendations to Microsoft to ensure this critical company, which sits at the center of the technology ecosystem, is prioritizing security for the benefit of its more than one billion customers.”

As part of its conclusion, the board determined that “Microsoft’s security culture was inadequate and requires an overhaul.” This is based on, the CSRB argues, Microsoft’s “failure to detect the compromise of its cryptographic crown jewels” and instead relying instead on a customer – in this case, the U.S. State Department – to inform the company of Storm-0558’s activity.

The CSRB also based its conclusions on Microsoft’s lack of security controls that other cloud providers have; the Russian nation-state attack that Microsoft suffered in January; and Microsoft’s responsibility given its ubiquitous and critical line of products.

One of the most significant aspects the CSRB’s findings was that according to the report, Microsoft still does not know how or when the MSA signing key was stolen. Furthermore, the board criticized company for making inaccurate public statements about the attack and how the key was stolen.

Microsoft claimed in a September blog post that the MSA key was incorrectly included in a crash dump of consumer signing system inside the company network; the blog post said Storm-0558 actors obtained a Microsoft engineer’s credentials and used the account to access a debugging environment that contained the key. However, the CSRB investigation found “Microsoft has no evidence or logs showing the stolen key’s presence in or exfiltration from a crash dump.” Microsoft’s blog post, however, was not updated until March 12.

“Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction,” the report read.

Although some details in the report are new, many of the criticisms of Microsoft’s security practices are not. Last year, infosec professionals shared their frustrations regarding Microsoft’s security practices with TechTarget Editorial. Experts criticized the company over a lack of transparency, bypassed and incomplete patches and rocky communication practices with security researchers.

And in January, executives slammed Microsoft for its handling of this year’s breach at the hands of Midnight Blizzard, a Russian nation-state group also known as Cozy Bear and APT29. Infosec experts called attention to the lack of multifactor authentication on the compromised test tenant account at the center of the attack and Microsoft’s apparent upselling of security products in a disclosure blog post.

Microsoft’s apparent prioritization on business over security is also referenced in the CSRB report.

“Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management,” the report read. “Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources.”

TechTarget Editorial contacted Microsoft for additional comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

This post was originally published on 3rd party site mentioned in the title this site

Similar Posts