Although the US multinational is best recognized for the widespread use of its Windows operating system and software platforms, it is also a formidable cybersecurity watchdog. For instance, in Ukraine, Microsoft's initial steps helped reduce the negative effects of harmful malware that had been injected into Ukrainian IT systems as early as January 2022 – a full month before Russia's full-scale conflict really started.
Additionally, the company assisted in smuggling data from several Ukrainian government agencies into its cloud, saving crucial data from being destroyed by a cruise missile fired by Russia at one of Ukraine's most crucial data centers. However, Microsoft is also battling its own cyber-demons.
Microsoft revealed a major breach affecting its Azure infrastructure last month, which it linked to the Chinese hacker squad Storm-0558. Around 25 different companies were impacted by the hack, which also led to the theft of private emails from US government officials. Senator Ron Wyden (D-OR) requested last week in a letter to the US Department of Justice that Microsoft be held responsible for "negligent cybersecurity practices." Since then, it has been under fire for its cybersecurity procedures.
Attacked in the Vulnerability
Wyden's observations relate to the claims made by other critics that Microsoft is hiding important information regarding the recent hack. Microsoft has done everything it can to avoid admitting that its infrastructure—including the Azure Active Directory, was hampered in disclosures regarding the incident so far. According to the critics, the information that Microsoft has provided to date makes it clear that weaknesses in the code for Azure AD and other cloud services were used to carry out the successful attack.
The software developer and cloud provider claimed that the attack was caused by the activation of vulnerabilities in either its Exchange Online email service or Azure AD. Microsoft's Threat Intelligence team claims that starting on May 15, Storm-0558, a hacker group from China that carries out espionage on behalf of that nation's government, exploited them. On June 16, after a client alerted corporate researchers to the incident, Microsoft pushed the attackers out. Storm-0558 had already infiltrated 25 different organizations' accounts by that point.
One of these vulnerabilities allowed the attackers to obtain a Microsoft Account encryption key that was outdated and was being used to log users into Exchange accounts. The company stated it was still unsure of how Storm-0558 obtained the key thirteen days ago, and it has not since offered any additional information.
According to Microsoft, 'in-depth analysis' revealed that the hackers were able to create genuine Azure AD access tokens using the Microsoft Account (MSA) key. The MSA keys were designed by Microsoft to only create tokens for consumer accounts, but the hackers were able to use them to sign tokens for Azure AD access. Microsoft claimed that the fake "was made possible by a validation error in Microsoft code."
Pulling Out the Big Guns
Wyden called upon US Attorney General Merrick B. Garland, Director of the Cybersecurity and Infrastructure Security Agency Jen Easterly, and FTC Chair Lina Khan to hold Microsoft accountable for the hack. He said that Microsoft kept quiet about its involvement in the SolarWinds supply chain attack, which was exploited by Russian hackers to infect 18,000 customers of the Austin, Texas-based company that produces network management software. Nine federal agencies and 100 organizations were among the customers who were subjected to follow-up assaults that resulted in network breaches.
He compared the actions taken in the SolarWinds case to those that, in his opinion, contributed to the more recent data breach involving the Departments of Commerce and State and other key customers.
Wyden then urged Easterly to instruct the board to look into the SolarWinds issue, with a particular focus on whether Microsoft kept the encryption key that was taken in the breach in an HSM. He requested that Garland look into whether Microsoft's ‘negligent practices’ were against the law. He also urged Khan to look into Microsoft's privacy and data security policies to see if they broke any FTC-enforced rules.
Trust broken with Microsoft’s Cloud Services
Researchers from security firm Wiz expressed that the gravity of the entire impact of the recent incident is actually bigger than what they had initially perceived it to be. This led to their belief that the event could have long-term implications on their trust towards the company’s cloud services. They concluded by saying that we must learn from it and improve.
In response to Wyden's remarks, Microsoft hasn't been open about its involvement in the most recent incident. It issued a two-sentence statement, the first of which said that the incident shows how cybersecurity issues are growing in the face of sophisticated attacks. The other stated that the company will keep up its commitment to putting out information on the Microsoft Threat Intelligence blog and would continue to communicate directly with government agencies on this matter.
Promising Improved Cloud Logging Features thereafter
Microsoft proposed that it hopes to offer improved cloud logging features without charging extra. It also stated that starting in September, regular users would have access to a greater variety of cloud logs, including 30 additional sorts of logs that were previously only available to premium subscribers, along with more thorough email access logs. Microsoft will extend the usual customer log retention period from 90 to 180 days by default.
As cyberattacks grew in severity during the ensuing ten years, the company began to acquire a variety of security vendors, a pattern it has continued for the past twenty years.
Investments in cloud security, made to safeguard Microsoft's flagship platform Azure, have allowed the company to establish a solid foothold in this burgeoning cybersecurity market.
Yet complaints about its transparency are far from new. Recent data breaches involving Microsoft include the Solar Winds hack, which affected agencies throughout the US government. Due to bugs in its Microsoft Exchange Server software, the company also experienced an attack that negatively impacted approximately 30,000 organizations. However, Microsoft's recent cybersecurity woes run the risk of upsetting its hard-won progress toward being a respected name in the world of security.
New regulations at the Securities and Exchange Commission will require businesses to disclose a hack within four days of its discovery, which will soon push US companies to be more forthright about security vulnerabilities.