Lessons from Storm-0558
Dive deep into Azure cloud security, Azure pentesting, and expand your multi-cloud expertise with our upcoming courses! 🚀
Azure Cloud Pentesting for Ethical Hackers (2 Days)
- Dates: October 7 & 8, October 28 & 29 (GMT & PST)
- Learn More & Enroll: Azure Pentesting Course
Multi-Cloud Fundamentals — Azure, AWS, GCP (4 Days)
- Dates: November 11, 12, 18 & 19 (GMT & PST)
- Learn More & Enroll: Multi-Cloud Fundamentals Course
🎉 Special Offer: Secure a 50% course discount! Simply email courses@chariscloud.com, indicating which course you’d like to sign up for.
MS finally released how the key for Storm-0558 got leaked — https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/…
There are lots of lessons here but I will highlight three:
🔄 1 — Data transfer between environments: A snapshot with a crashdump (contained the signing key) was shifted from PROD to an to internet connected debugging environment. How many ORGs rigorously cleanse their data transfers between environments with variable security controls? The issue wasn’t the absence of a process, the issue was that the implementation was not rigorous enough.
❌ 2 — Missed Validation: Impact could have been reduced if scope validation had not been missed due to an oversight. Devs mistakenly assumed/believed that the libraries handled scope validation when it did not. This led to enterprise emails to be authorized using consumer-signed security tokens. I’m sure that MS have a threat modelling process but how do you apply the right level of detailed modelling for every feature implementation when they happen very often?
📋 3 — The Challenge of Logging: Lower log retention policies meant that needed evidence was not available, which made post-incident analysis to be difficult. Quote — “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor”. I assume that like many ORGs, MS did not see the need to retain logs for non-prod environments for a long time because “important stuff don’t run there”. For organizations that can afford it, if data move is allowed from sensitive environments, assume that your implementation may fall short sometimes and at least have the same level of log retention.
These lessons may seem straightforward, but execution is the tricky part. The old saying — easier said than done. We continue to learn. 📚 #cloudsecurity #storm0558 #lessonslearned #storm0558 #msrc #securitylessons
