US senator slams Microsoft for 'negligent cybersecurity practices'

Expand Getty Images

A US senator is asking the Justice Department to hold Microsoft accountable for "negligent cybersecurity practices" that allowed Chinese hackers to steal hundreds of thousands of emails from customers across the country. cloud, including officials from the US State and Commerce Departments.

"Holding Microsoft accountable for its negligence will require a government-wide effort," Ron Wyden (D-Ore.) wrote in a letter. It was sent Thursday to the heads of the Department of Justice, the Agency for Cybersecurity and Infrastructure Security, and the Federal Trade Commission.

lean back Wyden's remarks echo those of other reviewers who say Microsoft is withholding key details about a recent hack. In disclosures about the incident so far, Microsoft has bent over backwards to avoid saying that its infrastructure, including Azure Active Directory, a supposedly hardened part of Microsoft's cloud offerings that large organizations use to handle single sign-on and multi-factor authentication, has been breached. Critics said the details Microsoft has disclosed so far lead to the inescapable conclusion that vulnerabilities in the code of Azure AD and other cloud offerings were exploited to pull off the hack.

The software maker and cloud provider said the compromise resulted from triggering weaknesses in Azure AD or its Exchange Online messaging service. Microsoft's Threat Intelligence team said Storm-0558, a China-based hacking team that spies on behalf of that country's government, exploited them starting May 15. Microsoft chased the attackers away on June 16 after a customer notified company researchers of the intrusion. By then, Storm-0558 had hacked into accounts belonging to 25 organizations.

Microsoft used amorphous terms like "problem", "error", and "flaw" when trying to explain how nation-state hackers tracked the email accounts of some of Microsoft's biggest customers. the company. One of these weaknesses allowed attackers to acquire an expired Microsoft account encryption key that is used to connect consumers to Exchange accounts. Thirteen days ago, the company said it did not yet know how Storm-0558 acquired the key and had not provided any updates since.

Microsoft said "thorough analysis" revealed hackers were able to use the Microsoft Account, abbreviated as MSA, key to forge valid Azure AD login tokens. While Microsoft intended MSA keys to only sign tokens for personal accounts, hackers managed to use it to sign tokens to access Azure AD. The tampering, Microsoft said, "was made possible by a validation error in the Microsoft code."

Wyden called on U.S. Attorney General Merrick B. Garland, Cybersecurity and Infrastructure Security Agency Director Jen Easterly and Federal Trade Commission Chair Lina Khan to hold Microsoft accountable for the breach. He accused Microsoft of hiding its role in the SolarWinds supply chain attack, which Kremlin hackers used to infect 18,000 customers of the network-management software maker in Austin, Australia. Texas. A subset of those customers, including nine federal agencies and 100 organizations, received tracking attacks that breached their networks.

He compared these practices in the SolarWinds case to those he says led to the more recent violation of the Commerce and State Departments and other large customers.

In Thursday's letter, Wyden wrote:

Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident. First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to tamper with access to different customers' private communications. Second, as Microsoft pointed out after the SolarWinds incident, high-value encryption keys must be stored in an HSM, whose sole function is to prevent encryption key theft. But Microsoft's admission that they've now moved consumer encryption keys to a "hardened k...