Strengthening cyber defenses has never been more important. In February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning asking public and private organizations to be more vigilant when it comes to monitoring cybersecurity threats. Just a few weeks ago, Microsoft confirmed another vulnerability. You might be thinking, “Microsoft hacked again?” The answer is, “Yes.” That said, the first line of defense is to know about the hacks and, in this case, what to do.
The reality is that small and mid-sized businesses, like yours, are viewed as easy prey because of limited resources and weak security implementations. Many businesses are not aware of software vulnerabilities in their purchased software packages and how they can be exploited.
In part because of its market dominance, hackers focus on Microsoft vulnerabilities as a possible attack vector. In the last year, Microsoft experienced four significant breaches that exposed customer data or put clients at risk. Let’s look at these breaches, their impact, and how you can prevent them from impacting your business:
Most Recent Microsoft Breaches
On March 22, 2022, Microsoft confirmed Lapsus$ had breached its defenses. Two days before, on March 20, the hacker group posted a screenshot taken in an Azure DevOps environment that seemed to show that projects such as Bing and Cortana had been compromised. According to Microsoft, the posting on Telegram enabled the security team to interrupt the hackers and stop the download of additional files. No customer data was compromised. The Lapsus$ group breach used social engineering to hijack an account and gain access to the system. The group, known as DEV-0537, to Microsoft’s security team, exploits insiders by posting on social media platforms, offering financial compensation if employees will help them compromise their employer’s system. The group may:
- Ask employees for their credentials
- Have employees respond to an MFA prompt
- Request employees to install remote control software on a networked workstation
Lapsus$ uses such tactics to gain access to a target directly or through its supply chain or service providers. The group claims that its goal is financial and has no political agenda; however, its tactics can be destructive in pursuit of data to exploit.
Misconfigured Power Apps Portals
In early 2021, a cybersecurity firm notified Microsoft of a possible vulnerability in Microsoft’s Power Apps portals. Some instances of the low-code development tool left database tables exposed to public access. After review, Microsoft indicated that the product was performing as designed.
After further analysis, the cybersecurity group notified organizations such as American Airlines and Ford Motors of the public exposure of data records through their Power Apps portals. In all, 47 companies were impacted with many correcting the exposure within days of notification. To date, no data appears to have been stolen.
Most Power Apps portals are used to create websites for data sharing with partners, employees, and closely-affiliated groups. The portals use an API to access tables in databases that hold various data points. The application uses lists to determine what user has access to data. By default, the application sets the access to public. Microsoft’s documentation does indicate that limiting access to the list tables requires changes to Table Permissions.
Many within the cybersecurity community believe that the discovery should have been treated as a vulnerability. Although Microsoft did not directly cause the data exposure, many felt that a reference in the documentation was insufficient to safeguard against exposure. They also felt that the default setting should have been more restrictive. Since the incident was reported, Microsoft has changed the default setting in Table Permissions.
Azure August 2021 Breach
Microsoft’s cloud computing platform, Azure, ranks second after Amazon’s AWS in market share. With an annual growth of 51%, an Azure vulnerability can have a widespread impact. In August 2021, a chain of vulnerabilities was discovered in Microsoft’s Jupyter Notebook feature of Cosmos DB. By exploiting these weaknesses, hackers could gain full administrative access to database accounts residing in Azure. Cosmos DB is a managed service that automates database administration. It uses a NoSQL database and incorporates the open-source web application — Jupyter Notebook. Because the application lets users share live code, visualizations, and data manipulation, it is a tool of choice for many data scientists, engineers, and developers.
The exploit enabled hackers to obtain credentials to a Cosmos DB account, including the primary key, that provides access to administrative functions. This capability allowed bad actors to modify, view, and delete data from a Cosmos DB account. Any Cosmos DB implementation that had Jupyter Notebook enabled was at risk.
Microsoft notified its Cosmos DB users of the potential security breach and worked with customers to regenerate new primary keys to ensure data integrity once the flaw was fixed. Microsoft stated there was no evidence that the flaw had been exploited aside from the security group that found the vulnerabilities.
Microsoft Exchange Server Hack
When Microsoft’s Exchange Server was released in 1996, it was installed on a Windows server operating at a customer location. The software enabled users to exchange and share emails, calendars, messages, and contacts across multiple applications. Today’s Exchange Server can operate in the cloud and on-site.
In January 2021, Microsoft was notified of four zero-day vulnerabilities tied to on-premise installations of Exchange Server connected to the internet. Successful breaches enabled hackers to download information stored on the server. Microsoft’s internal security team worked to contain security threats while developers worked to patch the weaknesses. By March, the Microsoft hacks were multiplying with thousands of attempts per day.
Microsoft released patches for the 2010, 2013, 2016, and 2019 versions of Exchange. However, Microsoft could not guarantee compliance since it did not track on-site installations. If organizations did not apply the updates, the vulnerabilities continued to pose cybersecurity threats. As a result, the Biden Administration appealed to organizations operating Exchange Server to apply the security patches.
The administration considered the vulnerabilities to be a threat to national security because hackers seemed to target smaller companies, local governments, institutions, and smaller nonprofits. These organizations could be leveraged to infiltrate larger organizations. Once it was determined that China-backed hackers were the source of the cybersecurity threats, the impact on national security became clear.
Impacts of Known Microsoft Vulnerabilities
Given Microsoft’s dominance in the computer market, it’s no wonder that Microsoft security threats occur. Whether it is a local workstation or the cloud, Microsoft software solutions are continually under attack. These most recent Microsoft hacks illustrate crucial concerns in the fight against cybersecurity threats.
Lapsus$ Microsoft Hack
The Lapsus$ breach demonstrates how insider threats and social engineering can jeopardize a company’s security. By offering financial compensation for insider assistance, Lapsus$ is enticing employees to assist in security breaches. An employee for a small organization in a large supply chain might be convinced to provide credentials that could be leveraged to target a larger organization.
More sophisticated social engineering methods make it harder for employees to detect phishing attempts. Continual training can help mitigate the risk as can deploying better tools for defending against infected emails or questionable senders. As cybersecurity threats increase, the need to remain vigilant becomes more crucial.
Power Apps Misconfigurations
Microsoft’s Power Apps portal event underscores your responsibility for staying up-to-date with your software applications. This threat should also encourage organizations to demand more safeguards be in place from day one. After all, while it seems reasonable to expect software providers to deliver solutions that are configured for maximum security, that’s far from reality. Does anyone at your business take the time to read detailed documentation on every software application you purchase? Or perhaps, you realize you just don’t have the technical expertise for configuring advanced technologies such as firewalls and cloud security. If you’re not able to stay current with or aren’t sure how to configure your software, don’t overlook the importance of doing so and assume that such vulnerabilities won’t impact you. If you lack internal expertise, considering a co-managed IT model can help you to ensure your applications are updated and properly configured to protect your data against security threats.
With more companies moving to the cloud, the security implications are important to understand. Maintaining cloud, on-premise, or hybrid security requires different expertise. According to Microsoft, the Azure breach was contained in part by its added defenses such as segmented network operations and internal firewalls.
Few companies have Microsoft’s technical resources or expertise, but they can work with a certified partner who does. Whether it is conducting vulnerability assessments or delivering real-time monitoring, a trusted advisor can provide the resources to secure an organization’s infrastructure.
China’s Microsoft hack in 2021 highlights the importance of software updates and patches. If companies systematically downloaded and applied every security update, no one – including a Presidential administration – would have to beg organizations to update their software. Yet, many companies neglect to apply updates regularly. As a result, software becomes outdated and subject to hackers. Once a hacker identifies a vulnerability, they search the internet for systems that have not been updated or patched to protect against a weakness.
Sometimes, replacing older software is the best way to protect a network. And in the long run, the investment could result in savings for you. Applications written before the cloud existed were not created to take advantage of the technology. Spending hours trying to configure old and new technologies for maximum security may still result in vulnerabilities.
How to Keep Your Microsoft Environment Secure
Keeping operating environments safe requires continual vigilance. You cannot afford to install solutions and not keep them updated. You cannot assume that simple firewalls and occasional employee training are enough. Even with limited resources, you can strengthen your security posture by implementing the following:
- Employee Training. Having a well-designed, versus one-off, training program keeps your employees informed about potential risks. Training can also alert staff to the most current phishing techniques, so they are less likely to click on a questionable link. Educating your employees on social engineering methods can reduce the chance of compromised credentials in your business.
- User Restrictions. Instead of granting everyone access to the entire network, limit your users’ movements to the applications and locations needed to perform their tasks. That constraint makes it more difficult for hackers to penetrate your network. Implementing multi-factor authentication (MFA) and a least-privilege access model can minimize the potential damage caused by a security breach.
- Network Monitoring. Comprehensive network monitoring is essential to a strong cybersecurity defense. You need to look at penetration testing, instruction detection, and endpoint protection. With more internet of things (IoT) devices being deployed and hybrid work environments continuing, network monitoring needs to expand well beyond its traditional internal network.
- Vulnerability Assessments. Without a vulnerability assessment, you do not have a clear picture of their cybersecurity landscape. You are unaware of misconfigurations that open their network to potential compromises. With limited resources, businesses can prioritize weaknesses to ensure that critical vulnerabilities are addressed first.
- Software Updates. Many companies have suffered from system disruptions as a result of a software update and are hesitant to apply any patches. However, failing to keep software updated opens a network to hackers that prey on outdated systems.
- Off-site Backups. Hackers are continually perfecting their skills. When companies maintained onsite backups, cybercriminals found fewer targets willing to pay a ransom to restore their systems. Today, bad actors encrypt or disable all backups stored on the network before launching a ransomware attack. To protect backups against ransomware attacks, you need to maintain offsite backups that cannot be accessed from their internal network.
- Third-Party Expertise. With co-managed IT, you’re able to remove some stress from your IT team’s plate. Your co-managed IT partner should be laser-focused on protecting your business, acting immediately on any real or perceived threats.
Engage with an Expert for Help
As the dominant provider of operating systems and applications, Microsoft solutions are a frequent target for cybercriminals. Finding a vulnerability in a Microsoft environment means that thousands of companies, like yours, immediately become a target. The financial gain for hackers multiplies exponentially.
Contact us today to learn about the benefits of working with a trusted cybersecurity partner.
Working with a partner who understands cybersecurity best practices and is a certified expert in a number of Microsoft solutions can reduce your risk of becoming a local news headline about another hack. Let’s discuss your cybersecurity needs and work together to build that bridge from where you are now to where you want to be as you strengthen your defenses.