In the aftermath of a recent attack on its Azure platform, Microsoft is under fire for its cybersecurity track record. Amit Yoran, CEO of cybersecurity firm Tenable, has taken to LinkedIn to shed light on what he calls Microsoft’s “blatantly negligent” approach to cybersecurity.
The attack on July 12th targeted Azure and was attributed to a Chinese hacking group named Storm-0558. The breach affected approximately 25 organizations and resulted in the theft of sensitive emails from US government officials. Senator Ron Wyden has demanded that the US Department of Justice hold Microsoft accountable for its negligent cybersecurity practices.
Amit Yoran, adding to the criticism, revealed that Tenable had discovered another cybersecurity flaw in Microsoft Azure. The flaw, found in March, could grant unauthorized access to sensitive data, including from banks. However, Microsoft took more than 90 days to implement a partial fix after being notified by Tenable, leaving organizations exposed to potential risks. The fix only applies to new applications, leaving previously launched services still vulnerable.
Yoran accuses Microsoft of displaying a “repeated pattern of negligent cybersecurity practices,” which has allowed Chinese hackers to spy on the US government. He also highlights data from Google’s Project Zero, showing that Microsoft products have accounted for 42.5 percent of all discovered zero-day vulnerabilities since 2014.
“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes.
The security firm Wiz recently reported that the Azure hack might have had a more extensive impact than initially thought, though Microsoft has disputed this claim.
Microsoft’s senior director, Jeff Jones, responded to the criticism, emphasizing the company’s collaboration with the security community to address product issues. He mentioned the delicate balance between timeliness and quality when developing security updates.
” We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption”
This isn’t the first cybersecurity incident involving Microsoft. The company was also affected by the infamous SolarWinds hack that targeted various US government agencies, as well as an attack on over 30,000 organizations due to flaws in its Microsoft Exchange Server software.
New rules at the Securities and Exchange Commission will soon require companies to disclose any hacks within four days of discovery, forcing them to be more forthcoming about security issues.