In March 2023, an engineer at Tenable, a cybersecurity firm, discovered an issue with Microsoft Azure Platform which enabled an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. “To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft,” Amit Yoran, chairman and CEO, Tenable, said in a blog post.
The cyber security breach at the tech giant has raised a big concern even for the US government. Last week, US Senator Ron Wyden urged the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Justice and the Federal Trade Commission (FTC) to hold Microsoft accountable for negligent cybersecurity practices, facilitating Chinese espionage against the US government.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Yoran, who previously served as the national cyber security director to the George W Bush administration, said.
Did Microsoft rectify it?
Even though Microsoft quickly acknowledged and confirmed the issue in a few days time, it took them around three months to acknowledge again that the issue is fixed. Tenable reported the issue to Microsoft on March 30th 2023 and Microsoft confirmed that the issue was resolved on July 6th 2023. But soon, Tenable found out that the fix is incomplete.
“They took more than 90 days to implement a partial fix – and only for new applications loaded in the service. That means that as of today, the bank I referenced is still vulnerable, more than 120 days since we reported the issue, as are all of the other organisations that had launched the service prior to the fix,” Yoran said.
He further goes on to say that, to the best of his knowledge, most of these Microsoft Azure users have no clue about the vulnerability, and hence, can’t make any informed decision about compensating controls and other risk mitigating actions. “Cloud providers have long espoused the shared responsibility model. That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly.”
Interestingly this is not the first time Yoran criticised Microsoft’s cybersecurity practices. In 2022, he wrote another different blog post highlighting other vulnerabilities in Microsoft’s Azure platform. “This is a repeated pattern of behaviour. Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers,” he said, back then.
Cybersecurity in the age of generative AI
Since the launch of ChatGPT by OpenAI late last year, Microsoft has almost toppled Google to emerge as the leader in AI. Microsoft is bringing generative AI capabilities not only through Azure, but also through its products such as Windows, Dynamics 365. However, generative AI is also bringing in new cybersecurity challenges. Recently, Indian IT giant Wipro, through a report titled ‘State of Cybersecurity Report 2023’, revealed that the rise of sophisticated new technologies like generative AI is creating a widening cyber resiliency gap within many enterprises.
Today, many enterprises across the globe are leveraging OpenAI’s GPT models through Microsoft Azure’s OpenAI services, because it allows enterprises to run these models in a more confined manner. However, generative AI is also creating newer cybersecurity risks.“While there’s so much attention being placed on the use and availability of generative AI, ransomware groups continue to wreak havoc and find success at breaching organisations around the world,” Satnam Narang, senior staff research engineer at Tenable, previously told AIM.
Moreover, earlier this year, researchers from Saarland University presented a paper on prompt engineering attacks in chatbots. They discovered a method to inject prompts indirectly, using ‘application-integrated LLMs’ like Bing Chat and GitHub Copilot, expanding the attack surface for hackers. Injected prompts can collect user information and enable social engineering attacks.
Amidst heavy investment in cybersecurity by Microsoft, concerns arise about their effectiveness in protecting customers from generative AI-related threats.
The post Microsoft’s Cybersecurity at Big Risk, Tenable CEO Raises Red Flag appeared first on Analytics India Magazine.
