Mastodawn

Gerade vom Kollegen rausgefischt

@LinksfraktionHH Datenschutz, digitale Souveränität und Kostenfragen beim Einsatz von Microsoft 365 in der Hamburger Verwaltung - 23/2931 Große Anfrage vom 29.01.2026: https://www.buergerschaft-hh.de/parldok/dokument/102664/23_02931_datenschutz_digitale_souveraenitaet_und_kostenfragen_beim_einsatz_von_microsoft_365_in_der_hamburger_verwaltung

(Parlamentsdatenbank: https://www.buergerschaft-hh.de/parldok/suche/10_1_23___23.%20Wahlperiode%20(ab%2026.03.2025)/7_1_1___Drucksache/9_1_29.01.2026_datefrom__Von%3A%2029.01.2026/8_1_2___Dokumenttyp%3A%20Gro%C3%9Fe%20Anfrage)

#hhbue #LinksfraktionHamburg #DieLinkeHamburg #Hamburg #DigitaleSouveränität #microsoft #Microsoft365 #ms365 #Storm0558 #FISA

Efani Apr 22, 2025

🚨 Microsoft just moved MSA token signing to Azure Confidential VMs, a major step forward in securing its identity infrastructure after the high-profile Storm-0558 breach.

This move, along with the ongoing migration of Entra ID signing services, is part of Microsoft’s broader Secure Future Initiative (SFI) — described as the largest cybersecurity engineering project in its history.

Here’s what’s changing:
- MSA signing keys now protected inside Azure Confidential VMs
- Entra ID token signing is also being migrated to confidential infrastructure
- Access tokens are generated, stored, and auto-rotated via Azure-managed HSM
- 90% of identity tokens for Microsoft apps now validated via hardened SDKs
- 92% of Microsoft productivity accounts use phishing-resistant MFA
- 81% of production code branches are protected with proof-of-presence MFA
- Security logs have a mandatory 2-year retention period
- A new tenant provisioning system auto-registers tenants into the emergency response process

Microsoft is also piloting isolated customer support environments to reduce lateral movement, a direct response to risks exposed in the 2023 Storm-0558 breach, which involved forged Entra ID tokens using a compromised MSA key.

The attack, attributed to a China-linked threat group, led to unauthorized email access across U.S. and European entities.

This update builds on the lessons from the U.S. Cyber Safety Review Board (CSRB) report and pushes forward a model where signing keys, support processes, and token validation are more tightly controlled than ever before.

At @Efani, we support these kinds of structural shifts — because real security isn’t just about patching flaws after the fact, it’s about re-engineering trust from the foundation up.

#CyberSecurity #Microsoft #EntraID #CloudSecurity #SecureFutureInitiative #Storm0558 #IdentitySecurity #EfaniSecure

this.ven May 18, 2024

Dass #Microsoft intransparent auftritt, nur strategisch Einblicke in seine #Cloud gibt und bei #Datenschutz und #Informationssicherheit viel schön redet, weil er #ToBigToFail sei, ist wohlbekannt.

Nun geht aber endlich auch mal das @bsi als Behörde im Auftrag der Bevölkerung gegen solche Praktiken vor und fordert Auskünfte ein, die bei einem #Hack wie dem von #Storm0558 im Sommer 2023 unaufgefordert und freiwillig erfolgen sollten.
https://www.heise.de/news/BSI-verklagt-Microsoft-auf-Herausgabe-von-Informationen-zu-Security-Desaster-9721245.html

Ich bin gespannt wie es weiter geht und stehe hinter der #Klage. Egal wie diese verläuft, die symbolische Bedeutung ist bereits ein Erfolg. Wer jetzt noch immer glaubt, dass er mit #Azure, #M365 und Co. gut aufgehoben ist, dem kann man mit Argumenten nicht erreichen. 🤯

Microsofts Security-Desaster: BSI ordnet Herausgabe von Informationen an

Das Bundesamt für Sicherheit in der Informationstechnik hat offenbar ein offizielles Verfahren gegen Microsoft eingeleitet – und wartet weiter auf Antworten.

heise online

Claudius Link Apr 6, 2024

The #CSRB report on the #Microsoft #Azure #Storm0558 security incident says that Cloud Service Providers (#CSP) should adopt a minimum standard for default audit logging.

A wonder which standard exist there? Any pointers welcome.
The report later mentions the #FedRAMP AU-2 "standard". But I couldn't find it 😠

#CyberSecurity

jacquie Apr 6, 2024

Le piratage de #Microsoft par la #Chine était “évitable”, assure un comité gouvernemental américain
https://www.usine-digitale.fr/article/le-piratage-de-microsoft-par-la-chine-etait-evitable-assure-un-comite-gouvernemental-americain.N2211014
#security #MicrosoftExchangeOnline #china #US #government #Storm0558 #EnterpriseSecurity

Le piratage de Microsoft par la Chine était “évitable”, assure un comité gouvernemental américain

Le Cyber Safety Review Board, autorité indépendante du département de la Sécurité intérieure des États-Unis, a publié un sévère...-Cybersécurité

Usine Digitale

Matt Willemsen Apr 6, 2024

DHS blames ‘cascade of security failures at Microsoft’ for China hack on US government
https://therecord.media/dhs-cascade-of-security-failures-microsoft-china-hack #security #MicrosoftExchangeOnline #china #US #government #CSRB #Storm0558 #deprioritized #EnterpriseSecurity #MajorFuckingFuckup

DHS blames ‘cascade of security failures at Microsoft’ for China hack on US government

Microsoft still does not have a full understanding of how alleged Chinese government hackers breached its systems and accessed the emails of senior U.S. government leaders, according to a review by the Department of Homeland Security.

Tim Schlotfeldt ⚓🏳️‍🌈Apr 4, 2024

#Microsoft has been #pwned for two times in the last six month. Does it change anything?

Ars Technica: Microsoft finally explains cause of Azure breach: An engineer’s account was hacked.

Last year #Azure was pwned by #Storm-0558, „a china-based threat actor with activities and methods consistent with espionage objectives.“

CNN: Russian hackers breached key Microsoft systems.

And now they are still pwned by #CozyBear, „russian state-backed hackers“. Does anybody care about this?

We really need to push forward our open source ressources.

#opensource

The Hubzilla @ tschlotfeldt.de

Richi Jennings Apr 4, 2024

Last year’s Chinese hack of federal agencies’ email is still a mystery, and “should never have occurred,” says #CISA.

CISA’s Cyber Safety Review Board thinks #Microsoft’s #cybersecurity is rotten. The company needs cultural reform and needs to stop releasing new features until it fixes the problem, the board says.

Microsoft’s cloud email system was hacked by #Storm0558 in 2023. But Redmond still doesn’t know how. In #SBBlogwatch, we aggregate fruity reactions. At @TechstrongGroup’s @SecurityBlvd: https://securityboulevard.com/2024/04/csrb-microsoft-review-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc

Biden Review Board Gives Microsoft a Big, Fat Raspberry

Storm-0558 forecast: Last year’s Chinese hack of federal agencies’ email is still a mystery, and “should never have occurred,” says CISA.

Security Boulevard

Show thread

Not Simon Apr 3, 2024

DHS Cyber Safety Review Board (CSRB) absolutely savages Microsoft over the June 2023 Exchange Online breach by Chinese threat actor Storm-0558 and accessing U.S. government emails right before Secretary of State Anthony Blinken was to visit China. This 34 page PDF is written in the style of a U.S. Government Accountability Office (GAO) report. 🔗 https://www.dhs.gov/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer

Key takeways (copied verbatim, emphasis mine):

"Google's Threat Analysis Group was able to link at least one entity tied to this threat actor to the group responsible for the 2009 compromise of Google and dozens of other private companies in a campaign known as Operation Aurora, as well as the RSA SecurID incident."
"However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key."
"Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction;"

#DHS #CSRB #Microsoft #MSRC #China #cyberespionage #Storm0558

Not Simon Apr 3, 2024

Microsoft Security Response Center (MSRC) quietly updated their 06 September 2023 blog post about the Storm-0558 technical investigation on 12 March 2024 (6 months later) due to DHS Cyber Safety Review Board (CSRB) repeatedly asking them when they were going to update the inaccurate information. 🔗 https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

First, what hasn’t changed:

Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account.

There is no change in the customer or Microsoft impact or actor activity. Current information may still be found in our Microsoft Security Blog.

Here are the key items which we are updating based on what we have learned since September 6, 2023:

The blog below states that the actor access may have resulted from a crash dump in 2021, but we have not found a crash dump containing the impacted key material.

The race condition mentioned in the blog below did not impact whether the key could be present in the crash dump, but rather whether the crash dump could be removed from the secure token signing environment.

We indicated moving crash dump material out of the secure signing environment was consistent with standard debugging process – we intended to indicate that this was not prohibited in the past, and thus could have happened. Our standard debugging process at Microsoft prohibits removing such materials from the production environment today.

Our ongoing investigations have revealed limitations in cred scanning technologies which we will address as we discover them.

#Microsoft #China #cyberespionage #Storm0558

Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Results of Major Technical Investigations for Storm-0558 Key Acquisition