This is absolutely crazy stuff. Chinese hackers were able to get into a bunch of government email accounts by forging Microsoft access tokens, but how it happened is wild.
Apparently an internal Microsoft system responsible for signing consumer access tokens crashed, then a bug in the crash dump generator caused the secret key to be written to the crash dump. Microsoft's secondary system for detecting sensitive data in crash dumps also failed, allowing the crash dump to be moved from an isolated network to the corporate one. The Chinese hackers compromised a Microsoft engineer's account and were able to get a hold of the crash dump. They were not only able to find the key and figure out that it's responsible for signing consumer access tokens, but were also able to exploit a software bug to use it to sign enterprise access tokens too, basically giving them the keys to the kingdom.
So many security system had to fail for this to happen. Either the hackers were very lucky or extremely patient.
This is a testament to just how hard cybersecurity is. Microsoft had the forethought to not store keys into crash dumps, had the forethought to build a secondary system to double check them, had the forethought to store them on an isolated network, but a cascading failure basically blitzed through all their security controls and allowed nation/state hackers to walk off with critical signing keys.
@malwaretech sigh. I've wanted to do this in Linux for years, but I've got a different job, and nobody really likes being given ideas. Basically it's just an mprotect() flag to mark stuff as not dumpable, not mappable from /proc (or map-on-read zero pages), and show the flag in /proc/pid/maps.
Add comment