How a $2.4 trillion corporation fails so badly, so often


After exposing some US government emails to Chinese threat actors, Microsoft then leaked internal emails by its own top-level executives for anyone to scavenge. It’s left us wondering why the second-largest corporation on Earth fails so badly and so often.

“Surely this is not the first time a misconfigured server has exposed sensitive information, and it will not be the last,” said Can Yoleri, vulnerability and threat researcher at SOCRadar, on October 19th, 2022.

He was commenting on SOCRadar’s research into a misconfigured Azure storage maintained by Microsoft, leaking 2.4 TB of sensitive data from a high-profile cloud provider. Critical data then included more than 335,000 emails, 133,000 projects, and 548,000 exposed users belonging to more than 65,000 companies from 111 countries. Microsoft’s answer was that the “SOCRadar has greatly exaggerated the scope of this issue.”

ADVERTISEMENT

No one would argue with Yoleri even back then. But a year later, Microsoft seems to be firmly in “hold my beer” mode.

Microsoft itself warned that China was likely to be stockpiling zero-day vulnerabilities last year. Fast forward to July 12th this year, and Chinese hackers, dubbed Storm-0558, stormed Microsoft with acquired digital encryption keys, taking advantage of “a validation error in Microsoft code.” Hackers gained access to inboxes belonging to 25 organizations, including US government agencies, to steal the emails for intelligence gathering.

Senator Ron Wyden sent a letter to the Security and Infrastructure Security Agency (CISA) demanding Microsoft’s responsibility for negligent security practices and noticing similar attack patterns as in the 2020 SolarWinds hacking campaign.

CISA itself demonstrated trust in the Microsoft toolkit with a move in March when it released an open-source incident response tool to track malicious activity in the Microsoft Cloud.

Later Amit Yoran, CEO of security company Tenable, criticized Microsoft for taking months to fix a serious issue with the Azure platform, leaving customers unprotected.

But then September came, delivering even more hard punches into the bleeding software giant’s nose. Microsoft leaked 38TB of private data, including personal computer backups with passwords, to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

Then the largest leak in the gaming industry happened when Microsoft presumably accidentally left court documents unredacted with internal emails, a new products rollout roadmap, financial forecasts, and other business information.

Has Microsoft really had nothing to learn and draw conclusions from? If historians wanted to make a list of flaws and breaches involving Microsoft products, the list would be painfully long.

ADVERTISEMENT

When the Lapsus$ hacking group, also known as DEV-0537, consisting of later arrested teens, roamed around last year, Microsoft was one of their juiciest targets.

One researcher called the extortion gang’s methods “laughably bad” at times. However, they were able to make good use of that. Lapsus$ exploited vulnerabilities in the Microsoft Exchange Server to gain access to the email accounts of thousands of organizations, emptied many crypto wallets, and even leaked the source code for Microsoft products such as Bing.

A global wave of attacks against Microsoft Exchange Servers occurred in 2021, affecting tens of thousands of organizations, and cracking their internal discussions open. The Hafnium hack was linked to China.

Before that, BlueKeep Vulnerability allowed attackers to execute arbitrary code exploiting Remote Desktop Services.

Oh, and what about the 500 million LinkedIn users whose data was left for scraping? The list goes on, and anyone could see the pattern.

Cybersecurity is not a top priority, growth is

To be fair, it is impossible from the outside to assess how good of a job Microsoft does. It’s clear that the company transparently discloses breaches and works on solutions.

“We analyze 43 trillion security signals daily and use the insights to inform increased protections. This year, we blocked 34.7 billion identity threats and 37 billion email threats. Over the past four years, we’ve sent over 67,000 nation-state-related threat notifications to customers to help them protect themselves from digital threats,” the Annual report of Microsoft reads, detailing the mindbogglingly high numbers involved.

Microsoft acknowledges that cybersecurity is a significant threat for governments, businesses, and individuals, “yet there simply aren’t enough people with cybersecurity skills to fill open jobs.” The company is committed to skill and recruit 250,000 people into the US cybersecurity workforce by 2025.

The ratio of Microsoft’s failures during cyberattacks may be not that high, when divided by the massive numbers of attempts. The sheer scale of Microsoft ensures that each successful attack is big and painful.

ADVERTISEMENT

And despite all the fuss, Microsoft services are still highly valued and in demand.

Microsoft is a giant and one of the most successful companies in American history, twice the size of Standard Oil at its peak, with a market value of $2.4 trillion. That corresponds to more than 5% of the US stock market, which was at $46.2 trillion on June 30th. Only Apple is larger, with almost 6% of total stock market.

Could Microsoft do more in terms of cybersecurity? Probably. However, it would be hard to expect the largest Microsoft shareholders, such as Vanguard Group or BlackRock, to suddenly demand more effort in ensuring customer security and privacy. Their main priority is – “grow more.” And Microsoft responds. It wants to more than double in size by 2030 through acquisitions and generic growth, balancing revenues and expenditures in the most profitable way, as any company would do.

We may also approach a point when we depend too much on too big-to-fail tech companies, risking experiencing a moment in the future similar to the systemic Banking Crisis of 2007-2008.

Recently leaked Xbox emails reveal how the top execs at Microsoft were disappointed in 2020 when Activision Blizzard signed a partnership, not with Microsoft, but with Google, which seemingly offered a more favorable 80/20 split in its Google Play store for choosing Google Cloud services. Tech giants bundle their services in such a way that ties corporate users to buy other services from the same company, and they’re all doing the same. That could stifle competition and innovation.

Leaked-letter
Leaked email by Phil Spencer

That leaves us hoping for the best, and that market forces and regulators are, this time round, up to the task.


ADVERTISEMENT

Comments

John
prefix 1 year ago
Add long as Microsoft is not held accountable to the same rules that all other companies must play by, they will continue to downplay their lack of security. They make it quiet clear in their cloud contact that security of the data is the responsibility of the owner, not Microsoft. That is pretty telling.
Leave a Reply

Your email address will not be published. Required fields are markedmarked