Recent high-profile mishaps by a number of cloud services, but particularly those run by Microsoft, have triggered a security review by the Department of Homeland Security’s Cyber Safety Review Board (CSRB).
A statement from the agency said that a “broad” range of cloud services would be looked at, but the only one that was named in the statement was Microsoft Exchange. Specifically, the statement cited the recent failure that led to penetration of government email accounts by suspected Chinese hackers.
Security review to focus on authentication practices
The CSRB was founded a little over two years ago and already has two of these security reviews under its belt, the first of the Log4J vulnerability and the second (just published earlier this month) covering the Lapsus$ hacking crew. The board is a public-private association made up of high-level cybersecurity officials from assorted federal agencies along with cybersecurity firm and tech company executives.
The board’s prior security reviews have taken criticism for not naming specific private entities responsible for lapses that led to breaches, but thus far it appears this is not going to be an issue with the cloud services report. Microsoft is already in the crosshairs, and there are numerous other big tech targets (such as Amazon and Google) that have experienced recent issues.
Criticism of Microsoft in the recent breach of government email accounts has centered on two key points: that it managed to lose a central key that essentially provided free access to webmail accounts, and that the logging tool that would have detected this sort of intrusion is locked behind a “premium” paywall (one that even some of the breached federal agencies do not subscribe to). The recently published report on Lapsus$ finished up with a series of detailed recommendations, one of which might be that crucial security tools of this nature be made available to all customers of these types of cloud services.
Will the security of cloud services improve?
Microsoft is likely to be a central focus of the cloud services security review not just due to this recent incident, but a string of issues going all the way back to the prior Microsoft Exchange breach (also taken advantage of by nation-state hackers) that was made public in early 2021. In the meantime, the general public still does not know exactly how far the Chinese hackers penetrated save for a number of high-level officials and diplomats that were named. The government did offer assurances that the email accounts were not meant to be used for classified material, but the full extent is being explored by a separate investigation initiated by the House Committee on Oversight and Accountability.
Microsoft believes that a Chinese hacking team called “Storm-0558” is responsible for the most recent breach, a group that has been known to target foreign government email accounts and make use of innovative techniques to penetrate networks. The group has a reputation for token forgery but also uses phishing techniques and unpatched software vulnerabilities to get in the door, usually deploying the China Chopper malware for persistent backdoor access and running Python and PowerShell scripts to quickly scrape email data.