Wednesday, July 12, 2023

Eric Geller - Email Hacking Campaign Ups Pressure on Microsoft Over Fees for Critical Security Features Government officials say Microsoft needs to provide more security data to customers without charging them extra

 https://twitter.com/ericgeller/status/1679207878605828102

Eric Geller

@ericgeller

The FBI and CISA just held a briefing on the Microsoft email hacking campaign. The big takeaway: The USG is still pushing Microsoft to offer more log data for free, including the currently premium feature that was necessary to detect this particular attack.

"We have been working deeply collaboratively with Microsoft for months to determine the specific log types that are most valuable to cybersecurity defenders and that should be made available without premium costs," a senior CISA official said.

"Microsoft has been very responsive and collaborative in these conversations," the official added, "and we anticipate highly positive announcements soon for the availability of additional log types in non-premium license tiers that will be available to all organizations."

The official noted that "a preponderance of organizations using Microsoft 365 or other widely used technology platforms are not paying for premium logging or other telemetry services, and we believe that model is not yielding the sort of security outcomes that we seek."

These are some of the bluntest comments yet by a senior government official about the tech industry's practice of charging extra for critical security features, a challenge that I wrote about in a feature story published this mornining:

https://themessenger.com/tech/amazon-google-biden-cybersecurity-policy

The speed with which this campaign was detected is a testament to improvements in network visibility and public-private coordination since SolarWinds, the senior CISA official said. "This is a notable improvement over prior intrusion campaigns," they said.

"Microsoft has been deeply collaborative in the response and investigation around this campaign," said the senior CISA official, "including sharing technical information with operational teams from CISA and FBI, as well as the victim organizations."

A senior FBI official added that "we wouldn't have fidelity on the scope of the victims without Microsoft's collaboration and sharing of intelligence with both the FBI and CISA."

The one new tidbit from this briefing was that the number of affected U.S. organizations "is in the single digits," per the senior CISA official, "and the number of impacted accounts for each was a small number." Matches what I first reported this AM:

Adding on to Sean's reporting: Three federal agencies had their emails compromised in this attack, with 10 or fewer individual victims at each agency, according to a U.S. official familiar with the matter. "Clearly targeted for [People's Republic of China] policy interests." twitter.com/snlyngaas/stat…
https://twitter.com/ericgeller/status/1679110092967358464

Microsoft and the government are still working to figure out the root cause of the attack, which involved the misuse of a signing key used to authenticate accounts. "That is an area of urgent focus," the senior CISA official said.

My story:

https://themessenger.com/tech/email-hacking-campaign-ups-pressure-on-microsoft-over-fees-for-critical-security-features

Email Hacking Campaign Ups Pressure on Microsoft Over Fees for Critical Security Features

Government officials say Microsoft needs to provide more security data to customers without charging them extra

Published 07/12/23 04:02 PM ET|Updated 13 min ago

A newly revealed hacking campaign targeting Microsoft’s email system which compromised multiple US government agencies underscores the need for Microsoft and other tech giants to offer more basic security features for free, the Biden administration argued on Wednesday.

The email hacking campaign, which Microsoft linked to Chinese operatives, was stealthy enough that only Microsoft customers who paid extra fees for the company’s advanced activity-logging feature could possibly have spotted it. One of the government victims paid for the feature, spotted the suspicious activity, and alerted Microsoft in mid-June, prompting a scramble to kick the hackers out of email systems belonging to roughly 25 organizations.

During a briefing for reporters on Wednesday, a senior official at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that most Microsoft customers didn’t pay the premium for the logging feature that revealed the attack and described Microsoft’s practice of charging for this feature as unacceptable.

“We believe that model is not yielding the sort of security outcomes that we seek,” said the senior CISA official, who spoke on the condition of anonymity according to the agency's policy. “We cannot rely upon organizations to pay more for better logging. That is a recipe for inadequate visibility and adversaries having unnecessary levels of success in targeting American organizations.”

The Biden administration has launched a campaign to convince tech companies to offer more security features for free and by default — instead of making users opt into them or pay extra for them. Offering adequate free log data is one of the areas where tech firms like Amazon, Google and Microsoft continue to dodge those recommendations.

The newly disclosed intrusions could increase pressure on Microsoft and its competitors to make more of their advanced security features available as part of their basic service tiers, given how important those features are to detecting sophisticated cyberattacks.

The US government has been “working closely with Microsoft to ensure the availability of this necessary logging for all organizations, federal and non-federal, without added charge,” the official said, “and we anticipate highly positive announcements soon” regarding the addition of more logging featres for all customers.

The suspected Chinese hacking campaign compromised three federal agencies, with the hackers accessing 10 or fewer individual accounts at each agency, The Messenger previously reported.

The US State Department confirmed in a statement that it was one of the affected agencies. CNN first reported that the department was the victim that detected the intrusion and reported it to Microsoft. The Commerce Department is another one of the victims, CNN reported.

 

Of the estimated 25 victims, the number of compromised US organizations “is in the single digits,” the senior CISA official said, with only “a small number” of affected accounts at each organization.

Senior CISA and FBI officials said the rapid discovery and remediation of the intrusions represented “a notable improvement” over responses to previous cyberattacks, including the SolarWinds breach perpetrated by Russian intelligence operatives in 2020.

A senior FBI official speaking at the same briefing said the government wouldn’t have a clear sense of the scope of this latest attack “without Microsoft's collaboration and sharing of intelligence.”

Still, it remains unclear how the hackers acquired the Microsoft authentication key that they used to break into victims’ email systems. The senior CISA official described that as “an area of urgent focus.”

 

No comments:

Post a Comment