It turns out that Chinese hackers stole signature keys from Windows crash dumps

Microsoft's consumer signature key was stolen by a group of Chinese hackers in July 2023, but a Microsoft investigation revealed that the source of the leak was a Windows crash dump.

Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Hackers stole Microsoft signing key from Windows crash dump

When the OS terminates abnormally, the information in memory at that time is written to a file so that the cause can be determined. This file is called a 'crash dump' and typically does not contain sensitive information.

However, in the consumer signature system crash that occurred in April 2021, a race condition occurred and confidential Microsoft consumer signature keys were leaked in the crash dump. At this time, the system was unable to detect that key information was included in the crash dump.

The crash dump was moved from the isolated production network to a connected debug environment within the corporate network using standard debugging processes. Microsoft's credential scanning methodology was unable to detect the signing key at this stage.

Due to Microsoft's log retention policy, there are no logs containing concrete evidence of how the Chinese hackers, codenamed 'Storm-0558', obtained the signing keys, but Storm-0558 The corporate account of the Microsoft engineer who was compromised had access to a debugging environment that included a crash dump containing the signing key, so it is highly likely that the key was obtained at this time.

In response to this issue, Microsoft has made the following improvements:

- Identifying and resolving race conditions that allow signing keys to be present in crash dumps
・Prevention, detection, and enhanced response to erroneously including key information in crash dumps
・Enhanced credential scanning to properly detect signing keys present in the debug environment
- Released an extension library to automate key scope validation in the authentication library and clarified related documentation.

in Security, Posted by logc_nt