The comedy of errors that allowed Chinese-backed hackers to steal Microsoft's signing key
In March 2021, Microsoft revealed a massive cyberattack that compromised its Exchange Server email software and affected tens of thousands of organizations around the world. The attack, which was attributed to a Chinese state-sponsored hacking group known as Hafnium, exploited four previously unknown vulnerabilities in Exchange Server to gain access to email accounts, steal data and install malware.
But the attack also had another, more alarming consequence: hackers managed to steal Microsoft's signing key, which is used to verify the authenticity and integrity of software updates. This meant that hackers could use the stolen key to sign malicious code and distribute them as legitimate updates to unsuspecting users.
How did this happen? How could a sophisticated company like Microsoft lose control of such a critical asset? And what does this mean for the security of software supply chains?
The answer lies in a comedy of errors that involved human error, technical failures, and organizational failures. Here are some of the key factors that contributed to this unprecedented breach:
– Microsoft used a self-signed certificate for its Exchange Server updates, rather than a certificate issued by a trusted external authority. This made it easy for hackers to impersonate Microsoft and trick users into installing malicious updates.
– Microsoft stored its signing key on a server connected to the Internet, rather than isolating it in a secure offline environment. This exposed the key to potential compromise by anyone who could access the server.
– Microsoft did not implement adequate security controls on its signing server, such as encryption, authentication, logging, and monitoring. This allowed hackers to access the server undetected and alter its settings.
– Microsoft did not follow the principle of least privilege, which means granting only the minimum level of access necessary to each user or process. Instead, it gave its signing server full administrative privileges, allowing hackers to execute arbitrary commands and steal the key.
– Microsoft did not have a robust incident response plan that would have helped it detect, contain and mitigate the attack. It took several weeks for Microsoft to discover the breach and notify its customers, giving hackers enough time to exploit the stolen key.
These errors illustrate how a single weak link can compromise an entire software supply chain and put millions of users at risk. They also highlight the need for software developers and vendors to adopt best practices to protect their keys and signing processes, such as:
– Use certificates from accredited authorities that apply strict verification and revocation policies.
– Storing signing keys in hardware security modules (HSM) that provide physical and logical protection against unauthorized access.
– Implement security controls such as encryption, authentication, logging and monitoring on signature servers and networks.
– Follow the principle of least privilege and apply the principle of defense in depth, which means using multiple layers of security to protect critical assets.
– Have a clear and complete incident response plan that includes regular testing and updates.
The theft of Microsoft's signing key was a wake-up call for the software industry and a reminder of the importance of protecting software supply chains. By learning from this incident and applying these best practices, software developers and vendors can prevent similar attacks in the future and ensure the reliability of their products.