Microsoft under the microscope

Delivered every Monday by 10 a.m., Weekly Cybersecurity examines the latest news in cybersecurity policy and politics.

Jan 22, 2024 View in browser   By Joseph Gedeon — With help from John Sakellariadis Driving the day — A small number of Microsoft’s senior leadership were hacked by the Russian attackers behind SolarWinds, the tech giant says. And all roads are pointing to it falling victim to some pretty basic IT flubs.   HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! There’s nothing like watching non-snow people interact with the weather we’ve been having in D.C.. My one quick tip: pick up your feet when you’re walking on ice. Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below. Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories. Today's Agenda Digital Regulatory Cooperation Forum CEO Kate Jones and others are joining a virtual discussion on the future for digital governance and how governments can structure their responses at the Atlantic Council. 9:30 a.m. State Department deputy assistant secretary for international information and communications policy Steve Lang, chief counsel of the House committee on Energy and Commerce Kate O’Connor and others are heading to the American Enterprise Institute for a discussion on U.S. leadership in radiocommunication policy. 2 p.m. Industry Intel INSECURE FUTURES — As the clock struck 5 on Friday, Microsoft slipped in a bombshell blog post disclosing that the elite Russian hackers behind SolarWinds accessed the emails of “a very small percentage” of its top brass. The hackers’ list of victims included cybersecurity and legal staff in an apparent bid to figure out what the tech giant knew about them. Microsoft wants you to think it was a sophisticated digital counter-intelligence coup. But that ignores an uncomfortable reality for a multinational company with a $20 billion cybersecurity business: it appears to have failed Cybersecurity 101. “I love how they wordsmithed it into a warning about how sophisticated these attackers are and the dangerous new world we find ourselves in. When in reality it appears to have been a massive failure of security best practice,” said Marc Rogers, the chief technology officer at nbhd.ai. — The methods: Microsoft said the hackers used a password spray attack to “compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.” That caught a lot of eyes in the security community for two reasons: first, non-production tenants — generally set up for software testing and troubleshooting — aren’t supposed to be hooked up to “production” — that is, live services. Second, Microsoft seems not only to have forgotten about this legacy (you know, “old”) account, but protected it with weak authentication. “You would think that the executive leadership of Microsoft and their cybersecurity team would be running in a more secure environment,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike. “So seemingly the largest enterprise in the world doesn't know how to implement multi-factor authentication.” — The purveyors of chaos: Microsoft’s team pointed the finger at Midnight Blizzard, a cyber gang linked to the Russian Foreign Intelligence Service also behind the 2020 SolarWinds supply chain hack. Russia’s SVR is responsible for diplomatic and political intel abroad, a signal that the hack against Microsoft meant that it wanted to prepare and understand everything Microsoft knew about it. — Teflon don: The global company used by governments, businesses and think tanks has had a spell of security issues over the last few months, including Chinese-based hackers gaining email access to high ranking government officials, including Commerce Secretary Gina Raimondo, and State Department communications over the summer. The July hack triggered a slew of Washington actions, including a letter from Sen. Ron Wyden (D-Ore.) to agency heads urging an investigation into Microsoft’s practices. The Cyber Safety Review Board is currently in the midst of an investigation over those hacks. — A few caveats: Microsoft deserves some credit for announcing the hack (though it might’ve had to, due to those new SEC regulations). In the post, it also committed to immediately apply “current security standards” to its own legacy systems and internal business processes — even at the cost of some disruption. — But let’s be real: We’re not exactly buying Microsoft's argument that the major takeaway is what the hackers did, as opposed to what the security giant didn’t do. The firm recently pledged to up its security game as part of a glitzy new initiative called “Secure our Future.” Let’s hope it doesn’t look like this. At the Agencies CLEARING THINGS UP — The Department of Homeland Security’s Cyber Safety Review Board is facing a barrage of questions — mostly, it seems, based on misunderstandings, according to a DHS official and a person familiar with the board’s work. In a Senate hearing last week, some lawmakers and a panel of experts expressed concern that private sector members on the Board would create conflicts of interest. But those who know the CSRB say that’s a fundamental misconception of how its investigations are run. “We have a career Ethics Counsel,” the DHS official, granted anonymity to speak candidly, told Morning Cyber. “And if there’s any possibility that a conflict will arise between a member’s interest and the work of the board, then it triggers recusal procedures.” — For example: When it comes to the Microsoft investigation, “We have a few members who, because of their employer or financial interests they have, are not participating in the review," the official added. And that could result in criminal penalties, a person familiar with the board’s work explained. Remember, Morning Cyber obtained a list right before Christmas detailing how four of the 15 board members were recusing themselves from that Microsoft hack investigation due to possible conflicts of interest. — Understand the intricacies: The CSRB, as it is set up right now, includes people from federal agencies like the National Security Agency and CISA, and big tech and cybersecurity companies like Google, Verizon and Palo Alto Networks — meaning some folks on the board could end up looking into screwups in their own tech, or of their competitors. And if it’s “relevant” to the CSRB’s review, the board members also have access to classified information, the DHS official shared. — Microsoft investigation update?: There was no comment on a fixed timeline for the Microsoft investigation findings, the DHS official said. Their prior reviews of the Log4J incidents and the Lapsus$ hacking gang took roughly five and eight months, respectively. Vulnerabilities CYBERATTACKS X2 — Not only are attempted cyberattacks on the rise, but they more than doubled last year, according to new data from Armis. The tidal wave of global attacks increased by 104 percent in 2023, and industries with critical infrastructure — especially utilities and manufacturing — took the brunt of the damage. Attacks against utilities spiked more than 200 percent, while manufacturing attacks shot up 165 percent. — Outdated and out of style: Legacy technology only compounds these woes, according to the researchers. Older Windows servers (2012 and earlier) were 77 percent more likely to get hit compared to updated versions. Armis found that industries still using end-of-life operating systems include education, retail, health care, manufacturing and public administration — with 10 percent of global public administration entities still using EOL that are no longer actively supported or patched for security issues. — Who’s to blame?: You guessed it. The report fingers state actors from China and Russia as driving much of this uptick. July saw the peak in attacks, with communications devices, imaging devices and manufacturing devices experiencing intensified targeting that month. People on the Move Kirstjen Nielsen has joined D-Wave’s board of directors. She was previously secretary of Homeland Security. Tweet of the Day When an unstoppable force meets an immovable object. Quick Bytes UNFRIEND ME — A widespread Facebook phishing campaign uses hacked accounts to post messages saying "I can't believe he is gone" with a link that steals users' Facebook credentials. The scam has been ongoing for a year and is hard to stop because the posts appear to come from trusted friends, reports Lawrence Abrams with BleepingComputer. SWEDISH SWIPE — A ransomware attack on a Swedish data center impacted some Tietoevry customers' services, and recovery is ongoing, Tietoevry wrote. ICYMI — CISA's proactive alerts helped prevent major attacks on Fortune 500 firms and critical infrastructure, while its vulnerability scanning and warning program bolstered defenses across 7,000 organizations, writes Matt Kapko for Cybersecurity Dive. “FTC bans another data broker from selling consumers’ location data” (TechCrunch) Chat soon.  Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).   Follow us on Twitter Heidi Vogt @HeidiVogt Maggie Miller @magmill95 John Sakellariadis @johnnysaks130 Joseph Gedeon @JGedeon1   Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings This email was sent to edwardlorilla1986.paxforex@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA Unsubscribe | Privacy Policy | Terms of Service