Microsoft comes under blistering criticism for “grossly irresponsible” security


Shadowy figures stand beneath a Microsoft logo on a faux wood wall.

reader comments
24 with

Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is “grossly irresponsible” and mired in a “culture of toxic obfuscation.”

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices” that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure’s role in the mass breach.

Critics pile on

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a “critical” issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran wrote. “They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.” He continued:

disclosed a set of what it called “vectors” that could be leveraged following a successful breach of an Azure AD Connect account. The vectors allow attackers to intercept credentials via man-in-the-middle attacks or to steal cryptographic hashes of passwords by injecting malicious code into a hash syncing process. Code injection could also allow attackers to gain a persistent presence inside the account with a low probability of being detected.

“The default configuration exposes clients to the described vectors only if privileged access was gained to the AD Connect server,” Ilia Rabinovich, director of adversarial tactics at Sygnia, wrote in an email. “Therefore, a threat actor needs to perform preliminary steps before proceeding with the exploitation process of the vectors.”

SolarWinds supply chain attack, which Kremlin hackers used to infect 18,000 customers of the network management software. A subset of those customers, including nine federal agencies and 100 organizations, received follow-on attacks that breached their networks. The senator went on to pin blame on Microsoft for the recent mass breach of the Departments of State and Commerce and the other Azure customers. Specific failings, Wyden said, included Microsoft having “a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.” He also faulted Microsoft for waiting five years to refresh the signing key abused in the attacks, saying best practices are to rotate keys more frequently. He also criticized the company for allowing authentication tokens signed by an expired key, as was the case in the attack.

“While Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits,” Wyden wrote. “That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.”

In Wednesday’s post, Yoran voiced largely the same criticisms.

“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” he wrote. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought.”

Article Tags:
Article Categories:
Technology