By Michael Hill
UK Editor, CSO |
So far, 2021 has proved to be somewhat of a security annus horribilis for tech giant Microsoft, with numerous vulnerabilities impacting several of its leading services, including Active Directory, Exchange, and Azure. Microsoft is no stranger to being targeted by attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the incidents it has faced since early March has put the tech giant on its back foot for at least a moment or two.
[ Keep up with the best new Windows 10 security features. | Get the latest from CSO by signing up for our newsletters. ]
What follows is a timeline of the significant security events that have afflicted Microsoft in 2021, why it remains susceptible to serious vulnerabilities and attacks, and an assessment of its response according to experts from across the cybersecurity sector.
The first notable security incident occurred in March, when Microsoft announced vulnerability CVE-2021-26855 in its Exchange Server. The vulnerability was remotely executable and exploitable at the protocol level across one or more routers. While it classified attack complexity as low, Microsoft stated that CVE-2021-26855 was being actively exploited and that attackers did not require authorizations or access to files/settings.
What’s more, the vulnerability could be exploited without any interaction from a user and lead to both total loss of confidentiality and protection. On its vulnerability update page, Microsoft wrote: “This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange Server from external access.” However, this would only protect against the initial portion of the attack and other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file, it added. Microsoft released and advised urgently installing updates on externally facing Exchange Servers.
Microsoft released patches for security issues impacting various Windows services, with six serious vulnerabilities already being actively targeted by attackers. As reported by security researcher Brian Krebs, the six zero days were:
Attackers were detected exploiting a vulnerability in Microsoft’s Windows Print Spooler service, dubbed PrintNightmare. The remote code execution vulnerability, CVE-2021-34527, involved improper privileged file operations in the service and was exploitable with basic user capabilities and required no user interaction. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote.
Advised mitigation included immediately installing security updates, along with ensuring the following registry settings were set to “0” (zero) or are not defined:
Researchers from security vendor Guardicore discovered and publicly disclosed a design issue in Microsoft Exchange Autodiscover with the potential to cause Outlook and other third-party Exchange client applications to leak plaintext Windows domain credentials to external servers. “This is a problem with both the design of how Microsoft initially implemented that [protocol] and a problem in how third parties are implementing it. It’s a two-fold issue: It’s both a design issue and an implementation issue,” commented Amit Serper, VP of security research.
Meanwhile, Microsoft began investigating and taking steps to mitigate the threat to protect customers. “We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today,” said Jeff Jones, senior director at Microsoft, in an emailed statement. Serper explained that Guardicore had indeed not contacted Microsoft as the underlying problem with how Autodiscover builds URLs was not a zero-day vulnerability and has been known since 2017.
Researchers at Wiz gained complete, unrestricted access to the accounts and databases of several thousand Microsoft Azure customers due to a series of flaws that affect Azure’s flagship database service, Cosmos DB. Dubbed ChaosDB by the researchers, the vulnerability allowed any user to download, delete, or manipulate a large collection of commercial databases trivially and without other credentials.
“Microsoft’s security team deserves enormous credit for taking immediate action to address the problem,” the researchers wrote. “We rarely see security teams move so fast! They disabled the vulnerable notebook feature within 48 hours after we reported it. It’s still turned off for all customers pending a security redesign.”
However, customers may remain vulnerable since their primary access keys were potentially exposed, they added. “Microsoft notified over 30% of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure. Microsoft only emailed customers that were affected during our short (approximately weeklong) research period. However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.”
In what turned out to be the first of several significant security issues in the space of a month for Microsoft, the tech giant warned of a remote code execution vulnerability (CVE-2021-40444) impacting MSHTML (aka Trident) being actively exploited in the wild. Trident is a proprietary browser engine for the Microsoft Windows version of Internet Explorer and was under threat from attacks using specially crafted Microsoft Office documents hosting the browser rendering engine.
“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft wrote. Exploitation was described as low in complexity and repeatable, with the capability to impact resources beyond the security scope managed by the security authority of the vulnerable component. Microsoft released security updates to address the vulnerability on September 14 and urged customers to keep anti-malware products up to date.
On the same day it released security updates to mitigate the Trident flaw, Microsoft issued details on a raft of non-exploited (at the time of disclosure) vulnerabilities across its services.
A joint advisory from the FBI, United States Coast Guard Cyber Command (CGCYBER), and the CISA warned of cyber threats associated with active exploitation of a new vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution. While the risks posed were third-party related rather than directly aligned with Microsoft itself, they do present notable threat to Microsoft Active Directory.
Security researchers flagged a notorious cyberespionage group with ties to the Russian government deploying a new backdoor designed to exploit Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates. Microsoft attributed the malware program FoggyWeb to the group NOBELIUM (also known as APT29 or Cozy Bear)—believed to be behind the SUNBURST backdoor. Microsoft stated it had notified all customers observed being targeted or compromised by this activity, recommending users to:
Microsoft added that its security products had implemented detections and protections against the malware.
As the incidents of the last several months show, Microsoft services remain a significant target for attack and exploitation, while vulnerabilities within them continue to come to light. “Microsoft apps and systems continue to be high-value targets for hackers because they are so widely deployed across the globe,” Forrester research director and principal analyst Merritt Maxim tells CSO.
Copyright © 2021 IDG Communications, Inc.