Inside Microsoft’s security threat landscape (and how you can protect your company)

Throughout the past few years, Microsoft has faced a slew of negative news over a series of vulnerabilities and hacks. So, it’s no wonder that vulnerabilities in Microsoft products are an attractive attack vector. According to a report from the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft systems has had 238 cybersecurity deficiencies reported since the beginning of 2022, which is 30% of all vulnerabilities discovered so far this year. 

In 2021, major agencies like the National Security Agency (NSA), FBI, CISA and CIA detailed the 15 most common vulnerabilities and exposures (CVEs) exploited by hackers. Of those, 60% (nine) were due to deficiencies in Microsoft’s designed, operated and owned systems, including seven CVEs within Microsoft’s Exchange Server.

This is even more alarming when you consider that Microsoft holds a dominant share (85%) of U.S. government workplace procurement and IT systems, essentially putting the entire government at risk of a hack. 

Microsoft made headlines again in late 2021, when it warned customers that the Azure cloud platform had configuration errors in a component which, enabled by default, had exposed data for the past two years. As a result, thousands of customers that rely on the Azure Cosmos DB — including household names like Exxon and Coca-Cola, were exposed to the possibility that an attacker could read, write or delete data without authorization.

Threat actors exploited multiple yet-to-be-disclosed Microsoft flaws and zero-day bugs, allowing attacks to be executed remotely, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported that attackers were chaining the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft. 

Due to the constant hacks and vulnerabilities discovered within Microsoft’s product ecosystem, other contemporaries, such as Google, are now supposedly overtaking the security innovation space. Recently, at its Cloud Next ’22 event, Google announced a Rapid Vulnerability Detection service. The tool is a zero-configuration service in Security Command Center Premium that detects vulnerabilities like exposed admin interfaces, weak credentials and incomplete software installations.

As a household name and a tech giant, where do Microsoft’s cybersecurity practices lack? And what does the future of such threats look like? 

The great vulnerability shark

Throughout the past 15 years, Microsoft has made progress in hardening the Windows kernel, the operating system’s (OS) core that hackers must effectively manage to control a machine. Introducing stringent new limits on loading system drivers that could operate in kernel mode was a cornerstone of that development. 

In February 2019, software company SolarWinds was attacked by suspected nation-state hackers known as Nobelium. The group gained access to thousands of SolarWinds customers’ networks, systems and data, resulting in the largest hack ever recorded. Moreover, following a Reuters exclusive on December 17, 2020, it became apparent that particular Microsoft-specific vulnerabilities exacerbated the damage in the SolarWinds attack. 

Andrew Grotto, former White House director of cyber policy, says that a part of such attacks lies in a legacy codebase problem. 

“Microsoft products require much effort to configure the right way and, due to such configuration problems, the products are vulnerable to exploitation,” he said. 

“For Microsoft systems that SolarWinds customers were using, the attackers burrowed deeper and deeper into the victim’s networks and took advantage of configuration problems in Microsoft’s products,” Grotto told VentureBeat. 

This was just the beginning, as in March 2021, a group of hackers collectively known as Hafnium were able to exploit weaknesses in Microsoft’s Exchange software, allowing Hafnium to take control of servers and gain access to sensitive corporate and governmental organization information. 

The FBI needed to hack into hundreds of computer servers of U.S. companies to remove the Hafnium malware. Microsoft released a patch to fix 114 critical vulnerabilities in April 2021.

Similarly, in March 2022, Microsoft announced that it was breached by the criminal hacker group Lapsus$, explaining that the group compromised one of its accounts, which gave the group “limited access” to company data. However, the company denied that the group obtained data of any Microsoft customers. 

The company would later acknowledge that the group stole parts of the source code associated with some of Microsoft’s products. Lapsus$ claimed to have gotten source code for the Bing search engine and Cortana voice assistant. (However, Microsoft claimed that it did not rely on the secrecy of its source code as a security measure.)

Dan Schiappa, chief product officer at Arctic Wolf and ex-Microsoft security executive, explained that Microsoft’s code is often a mix of old and new, making it even more challenging for them to ensure there are no vulnerabilities. 

“I think it will take the cybersecurity ecosystem to help protect Microsoft’s vast technology base. Microsoft will continue to make incremental changes to improve their security posture, but I do not believe they will do anything that will significantly reduce the risk,” he said. “As a result, having the proper security portfolio or service is the best way to ensure you have Microsoft security covered.”

Microsoft’s product ecosystem bottleneck

As a dominant enterprise vendor on the market, threat actors have been working around the clock to target and exploit products in the Microsoft ecosystem. Here are a few examples:

Threat intelligence company, Cluster25, recently reported that APT28 (a.k.a. Fancy Bear), a Russian GRU (Main Intelligence Directorate of the Russian General Staff) threat organization, used a new strategy to deploy the Graphite malware as recently as September 9.

The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental entity working toward stimulating worldwide economic progress and trade. Inside the PPT file are two slides featuring instructions in English and French for using the Interpretation option in the Zoom video-conferencing app. 

When the victim opens the document in presentation mode and hovers the mouse over the hyperlink, a malicious PowerShell script is launched, downloading a JPEG file from a Microsoft OneDrive account. The document also includes a hyperlink that triggers the execution of a malicious PowerShell script through the SyncAppvPublishingServer tool. As a result, the malware is able to use Microsoft Graph API and OneDrive on the victim’s computer for further command-and-control communications.

On top of that, vulnerable Microsoft SQL servers are also being targeted in a new wave of attacks with FARGO ransomware. MS-SQL servers are database management systems, holding data for internet services and apps, which attackers primarily target because disrupting them can cause severe business trouble. FARGO is one of the most prominent ransomware strains focusing on MS-SQL servers, along with GlobeImposter.

The FARGO ransomware strain excludes particular software and folders from encryption to prevent the infected system from becoming completely useless. Victims are also blackmailed with the threat of publishing the stolen material publicly if victims did not pay the ransom. 

It was later discovered that the vulnerabilities were due to the use of weak credentials and lack of updated security patching on the part of the victim servers, which echoes the earlier issues with Microsoft being difficult to configure. 

Microsoft’s Windows operating system isn’t far behind in bottleneck issues. According to research by Lansweeper, only 2.6% of users have upgraded to Windows 11 one year after its initial public release. And 42% of PCs aren’t even eligible for automatic upgrade due to stringent system requirements from Microsoft. Which leaves enterprise IT managers struggling to upgrade or replace millions of machines before 2025, which is when Microsoft has said it will stop supporting Windows 10.

How CISOs and security leaders can mitigate risks 

According to Steve Benton, VP of threat research at Anomali, the exploitation of vulnerabilities as they become known is just a means to an end, a part of an attack chain with several components that must be successful. 

“The harsh truth is we should all embrace the idea that you should not rely on any product to be 100% secure,” Benton told VentureBeat. “One must develop and execute a strategy that puts an overlapping and multilayered suite of security controls in place. [The strategy should be] focused toward the wider attack chains made up of TTP [tactics, techniques and procedures] driven by an attacker with motivation and goals you have understood through relevant, actionable intelligence.”

Benton recommends that the approach, therefore, needs to be threefold:

• Ensure you understand your attack surface and critical assets and have deployed an overlapping and multilayered set of security controls. Also, ensure that these components are fully deployed to the scope, fully operational and being monitored.

• Ensure you have defined policies and standards for all of these components such that they do not expose exploitable aspects ( i.e., do not give yourself away cheaply to an attacker).

• Analyze what kinds of actors are likely to attack you. Think about their motivation or end goal, and how they might go about it. This critical intelligence allows you to prioritize your resources to protect your business and your customers, and to establish and maintain a dynamic security posture against the current and emerging threats relevant to you. 

“Having an aggressive vulnerability and patch management strategy is the most important thing an organization can do to keep safe,” said Mike Dausin, director of security research and threat intelligence at Alert Logic. “At the same time, it is vital to listen to the signals your devices produce; many successful attacks go unnoticed simply because logs and signals from the affected devices go unnoticed. Collecting, processing and monitoring these signals is critical to catch modern threats.”

What the future holds for Microsoft

Jerrod Piker, competitive intelligence analyst at Deep Instinct, said that as Microsoft software solutions continue to enjoy widespread global use across enterprises of all sizes, we will likely see new vulnerabilities discovered at an even more rapid pace than up to this point. 

“If the recent vulnerabilities are any indication, these exploits will continue to grow in complexity and scale,” said Piker. 

Piker said that while Microsoft offers an extensive suite of security solutions, there doesn’t appear to have been significant strides made in securing the software development life cycle itself.

“Microsoft has seemingly always been more reactive with security efforts, instead of successfully building security into the software development process. This needs to change. Until a complete shift is made to tighten security during the development phase, chances are we will not see a marked improvement in the number of vulnerabilities discovered in Microsoft software solutions,” he said.  

Likewise, Grotto believes that the security promises may only be fully achieved if basic security features become standard for all pricing tiers of Microsoft’s cloud services. 

“Basic security features such as event logging and implementing multifactor authentication are a few IT features that should be considered standard. Unfortunately, such ground-level features still seem to be missing from Microsoft’s cloud ecosystem,” he said. “This is a major drawback for cloud-based ecosystems reaching their complete potential, from a security standpoint.”

Originally appeared on: TheSpuzz