In April 2021, hackers stole a Microsoft signing key from a Windows crash dump. The key was used to sign malicious software that was used to attack government email accounts.
The hackers were able to steal the key because of a race condition in the Windows crash dump system. A race condition is a situation where two or more processes are trying to access the same data at the same time, and the outcome of the operation depends on the order in which the processes access the data.
In this case, the crash dump system was not properly protecting the signing key. The key was stored in a file that was accessible to all processes, and there was no mechanism to prevent two processes from accessing the file at the same time.
“This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company said in Wednesday’s report. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”
The hackers were able to exploit this vulnerability by creating a malicious process that would try to access the signing key at the same time as the crash dump system was trying to access it. This caused the crash dump system to crash, and the malicious process was able to steal the key.
The stolen key was then used to sign malicious software that was used to attack government email accounts. The attackers were able to use the malicious software to gain access to the email accounts and steal sensitive information.
Microsoft has since fixed the vulnerability in the Windows crash dump system.
