[German]Security vendor Tenable has made serious accusations against Microsoft. A critical vulnerability in Azure Active Directory (AAD, recently EntraID) has been known since March 2023, but has not yet been patched. The CEO of security vendor Tenable, Amit Yoran, sharply criticizes Microsoft's handling of security issues. More than 40 percent of all particularly acute vulnerabilities in recent years are related to Microsoft products. This comes at an inopportune time for Redmond, as the hack of Microsoft Azure services by the suspected Chinese group Storm-0558 has already caused enough waves. Addendum: Microsoft has patched the vulnerability on August 7, 2023.
The hack of Microsoft Azure services by the suspected Chinese group Storm-0558, enabled by a stolen private MSA key, could be a wake-up call with regard to the "Microsoft cyber risk." In the U.S., CISA (Cybersecurity and Infrastructure Security Agency) has been looking into the high number of particularly risky vulnerabilities in Microsoft products in recent hours (see this article from Bleeping Computer for instance).
Tenable discloses new Azure vulnerability
In March 2023, a member of Tenable's research team examined Microsoft's Azure platform and related services. The researcher discovered a vulnerability that would allow an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. This means that no Tenable isolation occurred in Azure, really the death knell for a cloud provider. This was published by Tenable in the blog post Unauthorized Access to Cross-Tenant Applications in a Microsoft Azure Service, but because the vulnerability is still unfixed, there are no details given.
Interestingly, the timeline states that Microsoft was notified of the severe vulnerability by Tenable on March 30, 2023. In a direct message Tenable told me, how critical it is, and says that the team very quickly discovered the authentication secrets of a bank. Naturally, the bank was informed, which then immediately notified Microsoft.
Figuratively speaking: The roof was on fire – and the case reminds me of the hack of Exchange Online accounts by the Storm-0558 hackers that became known in July 2023 (see China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud). In the meantime, the case has turned into a security disaster for the Microsoft Cloud, as I explained in the article Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services.
Now we could assume that Microsoft will immediately fix the security issue reported by Tenable. The vulnerability allows attackers to penetrate the networks and (Azure) services of various customers. In this regard, Tenable writes that it took more than 90 days to at least partially fix the vulnerability – but only for applications newly loaded as a service in Microsoft Azure.
This means that the aforementioned bank is still at risk today, more than 120 days after Tenable reported the issue. This is equally true for all other companies that had the service up and running before the issue was fixed. As far as is known, these companies still do not know that they are at risk and therefore cannot make informed decisions about appropriate controls and other risk mitigating measures.
Microsoft states that it wants to fix the problem by the end of September 2023, four months after Tenable reported it. Tenable calls this grossly irresponsible, if not grossly negligent. Tenable knows about the problem, Microsoft knows about the problem – and hopefully the attackers don't, Tenable writes in a statement I received. The security vendor plans to release more details about the vulnerability on Sept. 28, 2023.
Tenable CEO criticizes Microsoft's handling of vulnerabilities
Meanwhile, Amit Yoran, chairman and chief executive officer (CEO) at Tenable, is criticizing Microsoft for its behavior in unusually harsh terms (that seems to be where the camel's back was turned). In a statement titled "Microsoft and Cybersecurity … Worse than feared," Tenable's CEO accuses Microsoft of a lack of transparency, referring to security breaches, irresponsible security practices and vulnerabilities. The exposes all customers to risks about which they are deliberately kept in the dark.
Amit Yoran's mentioned in a comment send to me also the letter from U.S. Senator Ron Wyden that he sent to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice, and the Federal Trade Commission (FTC). I reviewed this letter and the explosive findings it raised in the blog post Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1.
Ron Wyden calls on the letter's addressees to hold Microsoft accountable for a repeated pattern of negligent cybersecurity practices that enabled Chinese espionage against the U.S. government. According to Google Project Zero data, Microsoft products were responsible for a total of 42.5 percent of all zero-days detected since 2014.
Yoran writes that cloud providers have long advocated the "shared responsibility" model. The Tenable CEO sees this model irretrievably broken if a cloud provider does not immediately inform its customers about problems that have occurred/become known and does not transparently fix them.
And then Amit Yoran brings up a fact that I've also weaved in here on the blog in various posts. Customers of Microsoft get to hear "just trust us", but what they get back is very little transparency and a culture of deliberate obfuscation.
Meanwhile, the Tenable CEO's criticism is also hitting US media – I refer to this comment by 1ST1, which links to some articles (thanks for that).
It's time for a Microsoft Exit
In conclusion, the Tenable CEO asks, "How can any CISO, board or leadership team believe that Microsoft will do the right thing given the facts and current behavior? Microsoft's track record exposes us all to risk – and it's even worse than we thought." That's a damning verdict for Microsoft as a cloud and software provider.
Currently, I see a company whose employees are hopelessly overworked when it comes to quality assurance and security. This is coupled with free-wheeling marketing, as well as a management team that can hardly run for power in view of the stock price. Yet the structure stands on feet of clay, if one follows the development of the last few years.
Microsoft's CEO, Satya Nadella, has in my opinion hopelessly overstretched his company with the "mobile first, cloud first" strategy, the multiple layoffs since 2014, and other measures such as using open source and "software as a service". While Amazon, Facebook, Google, and a number of other U.S. tech giants have relied on open source (e.g., Linux as an operating system) since the beginning, I feel that at Microsoft, existing "on-premises" products have been "ported for the Azure Cloud." The marketing is flooding customers with a "barrage of supposed innovations" and then forcing them into dependencies via subscription contracts for cloud services.
The poor developers and support engineers are no longer able to keep up the pace and keep that stuff reliable and secure. While the market shouters are loudly praising the latest AI innovations a la CoPilot, security is going overboard.
Is this the dawn for Microsoft? I don't know, the dependencies will prevent a quick exit from this vendor. But I have the feeling that something is brewing, at least currently, which could develop into a storm. Microsoft just doesn't seem to have learned anything from old mistakes – and I think the antitrust authorities and also the US government are slowly getting "fed up with the empty promises" of the US tech giants and will regulate them in the medium term.
But maybe I'm too optimistic, and nothing will just happen until the "IT with monoculture" system collapses. What's your take on this?
Final patch is done
Addendum: After the above criticism Microsoft wrote that the Azure vulnerability has been patched immedeately: Microsoft issued an initial fix on 7 June 2023 to mitigate this issue for a majority of customers.
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Cookies helps to fund this blog: Cookie settings