Unwarranted Media Hysteria Over (Allegedly) China Almost Sneaking Compromised xz Into Stable, Production Operating Systems (It Failed) While the US Government Blames Microsoft for Allowing China to Break Into Vital Government Systems Via Windows

posted by Roy Schestowitz on Apr 03, 2024

Shifting attention much, Microsoft-funded media? Microsoft: my dog ate my homework. So what if our whole internal infrastructure and all of Azure got compromised? "LOOK OVA' THAR!"

THIS morning we wrote about how nearly 2 decades ago rms (Richard Stallman), who had given public talks about GNU since the mid-80s, warned that proprietary operating systems like Windows were a "back door" threat and, to make matters worse, you would not even know, no matter if that got detected or not (this already happened to Microsoft) [1, 2].

The "mainstream" (corporate, advertisers-funded and typically oligarch-owned) media won't mention any of this and instead it has helped distract from severe Microsoft Exchange issues. There is now a follow-up (see [1-4] below), but the media is shifting attention to "Linux" and it blames "Open Source" because some random user on Microsoft's GitHub (proprietary) pulled off a social engineering attack, aided by Microsoft systemd (also GitHub) and made "famous" by a Microsoft employee.

"Not only is there the 17k Microsoft Exchange server problem," an associate notes this morning, "but there is also the recent report excoriating Microsoft over its mishandling of the China-origin breach of its infrastructure."

See the links below.

"Allegedly" in the title of this post is because (while China is confirmed for the Microsoft breach) we don't even know what happened to xz. GitHub (Microsoft) makes it harder by hiding the evidence. The issue here or the culprit remains unattributed, an associate has said. "Red China is as likely as Israel, Russia, Netherlands, or US."

"However, in the other break-in [Microsoft], it is directly attributable to Red China."

Funnily enough, the corruptible media portrays the source of the FUD, Microsoft, as the saviour here. As if a campaign of misinformation or strategically-timed drama is something to be commended/praised for.

We're collectively paying the price for having very bad media/press. Media standards in the West have fallen closer to Red China's levels. █

1. Scathing federal report rips Microsoft for shoddy security, insincerity in response to Chinese hack

   In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying “a cascade of errors” by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.

   The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company's knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China.

2. Cyber review board blames cascading Microsoft failures for Chinese hack

   The CSRB lays the blame for the incident squarely on Microsoft: “The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”

   The report represents the conclusion of a seven-month review and comes against the backdrop of growing concern in Washington that a series of severe breaches at Microsoft has made the company a national-security liability at a time when the federal government is increasingly relying on that company for a raft of cloud computing services. In January, Microsoft disclosed the latest such incident, in which Russian hackers were able to access emails belonging to senior company officials and company source code.

3. Microsoft slammed for lax infosec that led to Exchange crack

   A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – which saw accounts used by senior US officials compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable save for Microsoft's lax infosec culture and sub-par cloud security precautions.

   The review, conducted by the US government's Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board (CSRB), calls for "rapid cultural change" at Microsoft. Among the Board's recommendations: [...]

4. Review of the Summer 2023 Microsoft Exchange Online Intrusion [PDF]

   In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

   Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.

   This was not the first intrusion perpetrated by Storm-0558, nor is it the first time Storm-0558 displayed interest in compromising cloud providers or stealing authentication keys. Industry links Storm-0558 to the 2009 Operation Aurora campaign that targeted over two dozen companies, including Google, and the 2011 RSA SecurID incident, in which the actor stole secret keys used to generate authentication codes for SecurID tokens, which were used by tens of millions of users at that time. Indeed, security researchers have tracked Storm-0558’s activities for over 20 years.