Microsoft's very bad year for security: A timeline
- 19 October, 2021 06:00
Satya Nadella (CEO - Microsoft)
So far, 2021 has proved to be somewhat of a security annus horribilis for tech giant Microsoft, with numerous vulnerabilities impacting several of its leading services, including Active Directory, Exchange, and Azure.
Microsoft is no stranger to being targeted by attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the incidents it has faced since early March has put the tech giant on its back foot for at least a moment or two.
What follows is a timeline of the significant security events that have afflicted Microsoft in 2021, why it remains susceptible to serious vulnerabilities and attacks, and an assessment of its response according to experts from across the cybersecurity sector.
March 2: Microsoft Exchange Server vulnerability
The first notable security incident occurred in March, when Microsoft announced vulnerability CVE-2021-26855 in its Exchange Server. The vulnerability was remotely executable and exploitable at the protocol level across one or more routers.
While it classified attack complexity as low, Microsoft stated that CVE-2021-26855 was being actively exploited and that attackers did not require authorisations or access to files/settings.
What’s more, the vulnerability could be exploited without any interaction from a user and lead to both total loss of confidentiality and protection.
On its vulnerability update page, Microsoft wrote: “This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange Server from external access.”
However, this would only protect against the initial portion of the attack and other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file, it added. Microsoft released and advised urgently installing updates on externally facing Exchange Servers.
June 8: Microsoft patches six zero-day security vulnerabilities
Microsoft released patches for security issues impacting various Windows services, with six serious vulnerabilities already being actively targeted by attackers. As reported by security researcher Brian Krebs, the six zero days were:
- CVE-2021-33742: A remote code execution bug in a Windows HTML component
- CVE-2021-31955: An information disclosure bug in the Windows Kernel
- CVE-2021-31956: An elevation of privilege flaw in Windows NTFS
- CVE-2021-33739: An elevation of privilege flaw in the Microsoft Desktop Window Manager
- CVE-2021-31201: An elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
- CVE-2021-31199: An elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
July 1: Windows Print Spooler vulnerability
Attackers were detected exploiting a vulnerability in Microsoft’s Windows Print Spooler service, dubbed PrintNightmare. The remote code execution vulnerability, CVE-2021-34527, involved improper privileged file operations in the service and was exploitable with basic user capabilities and required no user interaction.
“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote.
Advised mitigation included immediately installing security updates, along with ensuring the following registry settings were set to “0” (zero) or are not defined:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
August: Researchers disclose Microsoft Exchange Autodiscover vulnerability
Researchers from security vendor Guardicore discovered and publicly disclosed a design issue in Microsoft Exchange Autodiscover with the potential to cause Outlook and other third-party Exchange client applications to leak plaintext Windows domain credentials to external servers.
“This is a problem with both the design of how Microsoft initially implemented that [protocol] and a problem in how third parties are implementing it. It’s a two-fold issue: It’s both a design issue and an implementation issue,” commented Amit Serper, VP of security research.
Meanwhile, Microsoft began investigating and taking steps to mitigate the threat to protect customers.
“We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today,” said Jeff Jones, senior director at Microsoft, in an emailed statement.
Serper explained that Guardicore had indeed not contacted Microsoft as the underlying problem with how Autodiscover builds URLs was not a zero-day vulnerability and has been known since 2017.
August 26: Researchers access data of several thousand Microsoft Azure customers
Researchers at Wiz gained complete, unrestricted access to the accounts and databases of several thousand Microsoft Azure customers due to a series of flaws that affect Azure’s flagship database service, Cosmos DB. Dubbed ChaosDB by the researchers, the vulnerability allowed any user to download, delete, or manipulate a large collection of commercial databases trivially and without other credentials.
“Microsoft’s security team deserves enormous credit for taking immediate action to address the problem,” the researchers wrote. “We rarely see security teams move so fast! They disabled the vulnerable notebook feature within 48 hours after we reported it. It’s still turned off for all customers pending a security redesign.”
However, customers may remain vulnerable since their primary access keys were potentially exposed, they added.
“Microsoft notified over 30 per cent of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure. Microsoft only emailed customers that were affected during our short (approximately weeklong) research period. However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.”
September 7: Microsoft MSHTML vulnerability
In what turned out to be the first of several significant security issues in the space of a month for Microsoft, the tech giant warned of a remote code execution vulnerability (CVE-2021-40444) impacting MSHTML (aka Trident) being actively exploited in the wild.
Trident is a proprietary browser engine for the Microsoft Windows version of Internet Explorer and was under threat from attacks using specially crafted Microsoft Office documents hosting the browser rendering engine.
“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft wrote.
Exploitation was described as low in complexity and repeatable, with the capability to impact resources beyond the security scope managed by the security authority of the vulnerable component. Microsoft released security updates to address the vulnerability on September 14 and urged customers to keep anti-malware products up to date.
September 14: Microsoft discloses several non-exploited vulnerabilities
On the same day it released security updates to mitigate the Trident flaw, Microsoft issued details on a raft of non-exploited (at the time of disclosure) vulnerabilities across its services.
CVE-2021-36968: An elevation of privilege vulnerability in Windows DNS. Microsoft said the vulnerable component was not bound to the network stack and the attacker’s path is via read/write/execute capabilities.
“Either the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on user interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).” Microsoft warned of the potential for total loss of availability as the result of attack, granting an attacker the ability to fully deny access to resources in the impacted component.
CVE-2021-38647: A vulnerability affecting Open Management Infrastructure (OMI) via some Azure products. “Some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986),” Microsoft wrote.
“This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port. An attacker could send a specially crafted message via HTTPS to port listening to OMI on a vulnerable system.”
Microsoft warned that the remotely exploitable vulnerability was low in attack complexity, required no user interaction, and could potentially lead to the full denial of access to resources in the impacted component. A fix was issued on GitHub on August 11 to allow users to mitigate risks before full CVE details were made public by Microsoft.
CVE-2021-36965: A vulnerability affecting Windows WLAN AutoConfig services. Microsoft said the vulnerability was “bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.”
This means an attack must be launched from the same shared physical or logical network, or from within a secure or otherwise limited administrative domain. Threatening a total loss of confidentiality and integrity, an exploit is limited to resources managed by the same security authority. According to Microsoft, a complete vendor fix solution is available.
CVE-2021-36952: This remote code execution Visual Studio vulnerability was described by Microsoft as not bound to the network stack, with an attacker’s path via read/write/execute capabilities. CVE-2021-36952 could result in an attacker fully denying access to resources in the impacted component.
CVE-2021-38667: Two months after CVE-2021-34527, a new elevation of privilege vulnerability affecting Windows Print Spooler was disclosed. “The attacker is authorised with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with low privileges may have the ability to cause an impact only to non-sensitive resources,” Microsoft wrote.
CVE-2021-36975 and CVE-2021-38639: Two new elevation of privilege vulnerabilities, this time impacting Win32k, were also shared by Microsoft. Both had the potential to be successfully exploited repeatedly by an attacker.
September 16: APT actors exploit vulnerability in ManageEngine ADSelfService Plus
A joint advisory from the FBI, United States Coast Guard Cyber Command (CGCYBER), and the CISA warned of cyber threats associated with active exploitation of a new vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution. While the risks posed were third-party related rather than directly aligned with Microsoft itself, they do present notable threat to Microsoft Active Directory.
September 27: APT29 targets Active Directory Federation Services
Security researchers flagged a notorious cyber-espionage group with ties to the Russian government deploying a new backdoor designed to exploit Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates.
Microsoft attributed the malware program FoggyWeb to the group NOBELIUM (also known as APT29 or Cozy Bear) -- believed to be behind the SUNBURST backdoor. Microsoft stated it had notified all customers observed being targeted or compromised by this activity, recommending users to:
- Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain access.
- Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
- Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.
Microsoft added that its security products had implemented detections and protections against the malware.
Microsoft remains a significant attack target
As the incidents of the last several months show, Microsoft services remain a significant target for attack and exploitation, while vulnerabilities within them continue to come to light. “Microsoft apps and systems continue to be high-value targets for hackers because they are so widely deployed across the globe,” Forrester research director and principal analyst Merritt Maxim tells CSO.
Maxim estimates that approximately 80 per cent of enterprises use Microsoft Active Directory “globally in some shape or form. Given that Active Directory serves as the repository for user authentication credentials (among other features) and that authentication credentials are a highly valuable data source for hackers, it is only natural that hackers continue to target Microsoft systems because any exploit that can be developed can be attempted against a broad number of sources.”
“Attackers choose their targets based on value, and the more popular a system or program is, the more valuable it is to a hacker,” says Eugene Kolodenker, staff security intelligence engineer and research team member at Lookout.
“Additionally, due to Microsoft’s sophistication and complexity, it has a large attack surface, much of which is remotely accessible. A combination of popularity and a large remote accessible attack surface creates a perfect target.”
Martin Jartelius, CSO at Outpost24, adds: “The fact is that it’s rarely these products that are the source of the breach; a breach occurs elsewhere and then attackers move toward these most important integral parts of the organisation.”
Microsoft’s response to security incidents
Reflecting on Microsoft’s response to and handling of security incidents, John Bambenek, principal threat hunter at Netenrich, says the company generally does a good job. “If anything, they probably have the finest-honed product security process around.”
Maxim concurs. “Given the ubiquity of their systems, keeping track of every possible vulnerability is an impossible task. Microsoft continues to invest in the security capabilities in its native offerings and through things like the Microsoft Threat Intelligence Center they continue to provide detailed analysis and investigations of emerging malware affecting their platform to keep enterprises informed and protected.”
However, while Microsoft has rapidly responded and promptly attempted to patch vulnerabilities, several recent patches have been incomplete, and this has led to widespread exploitation until successful completion of the patch, says Kolodenker.
“Many Microsoft high-level vulnerabilities were discovered by legitimate security professionals, and only after initial patch release did rampant exploitation by attackers begin. This has been further exacerbated by public proof of concepts released before widespread adoption of the patch.”
This serves as an example of why organisations cannot solely rely on security updates and fixes from service providers, no matter how much clout they carry. Instead, they must bear some of the responsibility themselves, applying security to mitigate the risks of vulnerability-focused exploits and attacks.
Jartelius champions a combination of preventative and reactive methods. “Just as we test our fire alarm systems on a recurring basis, we should test those security defences and assumptions.”
Companies that employ either internal or external teams to simulate real attacks while simultaneously practicing observing and responding to them often discover flaws that can be prevented relatively easily before they are targeted in the real world. “Most organisations struggle in keeping an experienced adversary, simulated or not, at bay,” he says.