Microsoft Criticized for Lousy Security Management

This post is also available in: עברית (Hebrew)

Chinese hackers have recently entered US government email accounts, and Microsoft is under heavy criticism.

CEO of Tenable Amit Yoran claimed that his company discovered a serious issue with the Azure platform that would enable an unauthenticated attacker to access cross-tenant applications and sensitive data such as authentication secrets, and it took Microsoft over 90 days to implement only a partial fix.

In a post to his LinkedIn page, Yoran further criticized Microsoft’s lack of transparency applied to breaches, irresponsible security practices, and vulnerabilities, exposing their customers to risks “they are deliberately kept in the dark about.” He further claims that the truth is “even worse than you think,” as the bank he referred to is still vulnerable more than 120 days since the issue was first reported.

Yoran’s post led to snowballing reactions supporting these claims, and at the same time, several security firms reported new attack vectors that could be leveraged against Azure.

Some examples include an attack vector against Azure Active Directory that enables lateral movement to other Microsoft tenants and several vectors in the Azure AD Connect that allow attackers to intercept connector credentials via man-in-the-middle attacks or inject malicious code.

According to Cybernews, a week prior to this the Cybersecurity and Infrastructure Security Agency, the Department of Justice, and the Federal Trade Commission received a letter from Senator Ron Wyden asking them to hold Microsoft accountable for a repeated pattern of negligent cybersecurity practices, which enabled Chinese espionage against the United States government.

In the Senator’s letter, he demanded Microsoft’s responsibility for the hundreds of thousands of governmental emails and email accounts that were compromised and mentioned that similar attacks have happened before. However, even then Microsoft never took responsibility and blamed federal agencies.

Microsoft officials claim the company follows an extensive process involving a thorough investigation, saying that “developing a security update is a delicate balance between timeliness and quality while ensuring maximized customer protection with minimized customer disruption.”