The Cyber Safety Review Board (CSRB) of the Cybersecurity and Infrastructure Security Agency has found that Microsoft Corporation MSFT had security lapses that paved the way for a 2023 cyberattack. This incident resulted in the compromise of high-ranking US officials’ accounts.
What Happened: According to the CSRB report, a group with links to China, identified as “Storm-0558”, took advantage of inadequacies in Microsoft’s cloud security and infosec culture. This led to a breach of its Exchange Online hosted email service in June 2023. Following this, Microsoft and the federal government continued investigating the hack and understanding its full impact.
The report highlighted Microsoft’s key rotation practices for securing the Microsoft Services Account (MSA), which didn’t include an automatic signing of key rotation or deactivation process. The outdated system, launched during the early 2000s, proved ineffective when Microsoft stopped manually managing keys in 2021 after a major cloud outage.
Storm-0558 exploited an old key from 2016 to access Microsoft’s public-facing Outlook Web Access. Owing to a system glitch, the group could use the key to break into enterprise email accounts, leading to the theft of nearly 60,000 emails from the US State Department, including sensitive diplomatic conversations and a list of employee emails.
According to the CSRB, Microsoft “did not accord security risk management the priority it deserved given the threat and the critical importance of Microsoft technology to more than one billion global customers.” It was stressed that the company’s “Secure Future Initiative” requires supervision from its top brass.
Why It Matters: Earlier in July 2023, Microsoft disclosed that Storm-0558 had breached email accounts connected to Western European government agencies, raising cybersecurity concerns. Later, Sen. Ron Wyden (D-Ore.) accused Microsoft of negligence in its cybersecurity practices and urged the Justice Department to hold the company accountable.
Engineered by Benzinga Neuro, Edited by Sudhanshu Singh
The GPT-4-based Benzinga Neuro content generation system exploits the extensive Benzinga Ecosystem, including native data, APIs, and more to create comprehensive and timely stories for you. Learn more.
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Comments
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.