Global tech giant Microsoft is under scrutiny for the security practices of Azure and its other cloud offerings, with some calling the company "grossly irresponsible."
Additionally, security firm Tenable, Amit Yoran, CEO, said that Microsoft is mired in a culture of "toxic obfuscation." His remarks come nearly a week after Sen. Ron Wyden of Oregon slammed the tech firm for what he claimed were "negligent cybersecurity practices" that only enabled hackers supported by the Chinese government to steal hundreds of thousands of emails.
Microsoft's Security Woes
The emails were said to have been from cloud customers, which include officials in the U.S. Departments of State and Commerce. Microsoft has not yet responded to the allegations or provided details regarding the mysterious breach in security. The incident allegedly involved the hackers gaining access to various of the company's other cloud services.
Yoran on Wednesday took to LinkedIn to severely reprimand Microsoft for allegedly failing to fix what the company said on Monday was a "critical" issue that provided hackers unauthorized access to data and apps managed by Azure AD, as per Ars Technica.
Azure is a Microsoft cloud offering for managing user authentication within large organizations. The disclosure on Monday noted that the firm notified the tech firm of the issue in March and that 16 weeks later, the company reported that the problem had already been fixed.
But researchers from Tenable told Microsoft that the fix that was reported was incomplete, and the tech firm later set a date for providing a complete fix to be on Sept. 28. In a statement, Yoran said that his company's team was able to discover the authentication secrets to a bank quickly.
A representative from Microsoft said that the tech firm did not immediately have a comment in response to Yoran's post. But responding to Wyden's statement last week, Microsoft brushed off the criticisms and said that the incident demonstrated the growing challenges within cybersecurity amid the rising number of sophisticated attacks.
The situation comes after Microsoft previously said that a hacking group tracked as APT29 and linked to Russia's Foreign Intelligence Service (SVR) targeted dozens of global organizations. According to Bleeping Computer, the list included government agencies and was an attack made amid Microsoft Teams phishing attacks.
Addressing Cybersecurity Threats
In a statement, Microsoft said its investigation indicated that the attacks had affected fewer than 40 unique global organizations. It added that the attackers utilized compromised Microsoft 365 tenants to create new technical support-themed domains and send tech support lures.
This attempted to trick users of the targeted organizations using social engineering tactics. The tech firm argued that the hackers tried to manipulate users into approving multi-factor authentication (MFA) prompts, which resulted in the attackers being able to steal users' credentials.
Additionally, Microsoft and other companies in the industry have called for transparency concerning cyber incidents to learn and respond better to threats. The company said it can no longer ignore the exponential rise and frequency of sophisticated attacks.
With the statement, the tech firm published the details of activity conducted by a China-based actor that Microsoft was tracking that was able to gain access to email accounts across roughly 25 organizations, said Microsoft.