After a recent email hacking attempt on government officials and businesses, US Senator Ron Wyden called for three separate probes against Microsoft.
The breach, which impacted roughly 25 organizations-including government agencies-has seriously caused many people to question the firm's security procedures, according to Tech Radar.
The cyberattack, blamed on a Chinese threat actor identified as Storm-0558, permitted unauthorized access to email accounts, exposing private data belonging to prominent officials like Secretary of State Antony Blinken and Secretary of Commerce Gina Raimondo, among others. Microsoft said the compromise included linked consumer accounts connected to the impacted businesses.
Senator Wyden connected the attempt to the 2020 SolarWinds campaign, which featured a Russian threat actor hacking into US government communications, in a letter addressing the problem. In addition to criticizing Microsoft's apparent unwillingness to accept responsibility for the attack, Wyden said that the company's shoddy security procedures contributed to the hackers' success.
Negligence on Microsoft's Part
In Wyden's opinion, Microsoft's reaction to the issue was problematic since it assigned responsibility to others and urged users to stick with their interests. The senator described instances where Chinese hackers allegedly used fake authentication tokens for Exchange Online and Outlook.com to access government email accounts.
Microsoft said that the hackers had obtained a "Microsoft account (MSA) consumer signing key," which enabled them to create forged corporate account authentication tokens.
Wyden said that Microsoft "bears significant responsibility for this new incident, despite the availability of "limited details." He added that the company "should not have had a single skeleton key" that could be utilized to "forge access" to various private communications when "inevitably stolen," per PC Mag.
In addition, Wyden lambasted Microsoft for not storing signing keys in a hardware security module, a step they had previously advised clients to take in the wake of the SolarWinds hack. One of the keys used in the Outlook breach had been in use since 2016 and had just recently been updated, according to cloud security vendor Wiz.
The senator from Oregon emphasized that to reduce the danger of compromise, industry best practices and cybersecurity recommendations advise updating encryption keys more regularly.
Additionally, the fact that Microsoft's internal and external audits missed the critical signature vulnerability raises questions about the possibility of additional, unidentified problems in the company's products.
Tech Giant is in Hot Water
Microsoft recognized the difficulties of cybersecurity in the face of sophisticated assaults in response to Wyden's demand for probes. It guaranteed that they were engaging with federal authorities on the issue. The business promised to keep disseminating information through its blog, Microsoft Threat Intelligence.
Microsoft's practices have been criticized before. For years, the EU has monitored the company on antitrust and anticompetitive concerns, according to NY Breaking. Microsoft has recently been under fire for allegedly unfair cloud practices connected to its Azure platform.
Senator Wyden argues that a thorough, all-government effort is required to hold Microsoft responsible for its incompetence, given the gravity of the most recent incident. The three US government agencies selected to undertake separate investigations will be charged with determining the scope of the security breach and looking into any possible flaws in Microsoft's systems and products.
The findings of these inquiries might have significant ramifications for Microsoft and the larger IT sector, highlighting the crucial significance of solid cybersecurity in the modern digital environment.
Related Article: FAA Taking Steps Toward Regulating Commercial Spaceflight