Though Microsoft is hardly alone in terms of cloud services experiencing serious security breaches, a string of Redmond mishaps appears to have prompted new security reviews by the Cyber Safety Review Board (CSRB).
Microsoft’s issues include repeated serious failures of Microsoft Exchange security and a major recent breach of Azure by Chinese spies, but the CSRB appears to be looking at a range of cloud services commonly used by government agencies and large businesses. This is the third such security review for the relatively new public-private collaboration, which previously examined the Log4J vulnerability and a 2021-2022 spree by the for-profit criminal hacking group Lapsus$.
Cloud services under the microscope thanks to Microsoft
The Department of Homeland Security (DHS) cited the recent Microsoft Exchange Online breach (announced in July) as a central focus of the security review, the only such incident that was specifically named amidst the announced “broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers.”
Disclosed by Microsoft in early July, the attack is thought to have unfolded from May into June and stemmed from the theft of a Microsoft account (MSA) consumer signing key that allowed the attackers to create validation tokens impersonating Azure AD users. The hackers, believed to be the state-backed Storm-0558 group out of China, used this power to let themselves into email accounts via Exchange Online (OWA) and Outlook.com. The government confirmed that a number of high-level officials were compromised and that the hackers broke into multiple federal agencies, but the general public still does not know the full extent of the damage.
Microsoft’s issues in this area extend much further back than that, however, all the way to the Exchange Server breaches of late 2020 and early 2021 that both Russian and Chinese state-backed hackers are believed to have taken advantage of. It is hardly alone in this among cloud services, however, with the likes of Google Cloud and Amazon AWS also seeing numerous breaches in the past year or two, some quite serious.
The ongoing issues with Microsoft prompted Senator Ron Wyden to pen an open letter to the Cybersecurity and Infrastructure Security Agency (CISA), Federal Trade Commission and the DOJ, demanding that the company be investigated and held responsible for its most recent security lapse and that it no longer make it possible for a single “skeleton key” to access email accounts.
While the CSRB will be focusing on Microsoft’s end of the incident and how its cloud services might be shored up, the House Committee on Oversight and Accountability has announced that it will soon be launching an investigation into China’s attack campaign and the full extent of the damage it caused.
Security review to cover “broad” authentication infrastructure and cloud service providers
Having just been founded in 2021, and having just published its first security review of this type a little over a year ago, the CSRB is still fairly new to this. It has taken criticism in this early going for not digging enough into specifics, and having too many conflicts of interest in the private sector.
Though it has promised a broad survey of cloud services, the CSRB does already seem to be addressing one central criticism of its prior security reviews: that it refuses to place blame directly on single private sector entities. The board also has inherent conflict of interest issues in that it is staffed by members of companies such as Google and Verizon, who not only do not want their own companies harmed by reports but also might benefit from investigations that reveal the confidential information of competitors. This “broad” survey of cloud services provides the CSRB the ideal opportunity to show how it can navigate these waters while retaining public confidence in its efficacy.
Though it is not the board’s job to appease the public, it could win confidence by zeroing in on Microsoft’s prior requirement that customers pay for a premium subscription to access the security logging tool that would have caught the unauthorized access in the Outlook email case. Microsoft has since voluntarily offered to roll that feature out to all users for free, but the report might spark a broader push for companies to make vital security tools for their cloud services more readily available.
It remains unclear what the final security review will look like, or exactly which companies it will include, but some clues might be drawn from the prior report on Lapsus$ (which was only just published about a week ago). That report included a summary of the suspected threat actors and concluded with 10 fairly detailed recommendations that addressed specific security improvements that telecommunications providers should make.
Ani Chaudhuri, CEO of Dasera, predicts that the final version of the security review will adopt a similar stance: “Given the recent Microsoft Exchange Online intrusion, we can expect a renewed emphasis on strengthening identity management and authentication in the cloud. This might lead to the inception of new technologies or the broader adoption of extant yet underutilized solutions. More importantly, the findings will likely foster a culture of proactive security vigilance rather than a reactive stance. The cloud industry might see an acceleration in the integration of advanced threat detection, response mechanisms, and continuous security education.”
“The DHS’s initiative, steered by the CSRB, couldn’t be more timely. In a world where our reliance on cloud infrastructure is deepening, such proactive measures herald a shift from merely responding to threats to preemptively identifying and plugging vulnerabilities. This is not just about technology; it’s about trust and ensuring the cloud remains a haven for innovation and growth,” added Chaudhuri.