Former employee says Microsoft prioritized profits over security and ignored vulnerabilities that could lead to hacks of federal government and major corporations for years



In December 2020, various US government agencies and major companies

were hacked by hackers backed by the Russian government, resulting in the leak of a large amount of confidential data . The hack exploited a vulnerability in Microsoft products, but Microsoft employees had been aware of the vulnerability since 2016 and repeatedly warned about it, but Microsoft reportedly ignored it, prioritizing profits over security.

Microsoft Refused to Fix Flaw Years Before SolarWinds Hack — ProPublica
https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers



Microsoft Ignored Whistleblower Warnings Before SolarWinds Attack | PCMag
https://www.pcmag.com/news/microsoft-ignored-whistleblower-warnings-before-solarwinds-attack

Andrew Harris, who joined Microsoft in 2014, is an identity and access management expert with seven years of experience working on device protection at the Department of Defense. At Microsoft, he was assigned to the team that dealt with the highly sensitive hacking case known as the 'Ghostbusters,' and in 2016, he investigated 'a case in which hackers infiltrated a major American high-tech company.' The case was notable for its involvement of the company's cloud and for the fact that the hackers carried out the hack with almost no traces.

After investigating various possible scenarios for this incident, Harris discovered a vulnerability in a Microsoft product called Active Directory Federation Services (AD FS), which allows users to log in to multiple cloud services with a single login.

AD FS uses a computer language called Security Assertion Markup Language (SAML) to authenticate users, but once a hacker succeeds in extracting the private key from the AD FS server, they can forge a 'token' that impersonates a user with the highest level of access. This token is like a master key for a building, so hackers can freely log into cloud services without leaving any trace and steal important confidential data. This attack is called a 'SAML attack.'

Normally, when an unknown or external IP address attempts to access a cloud service, the network administrator detects it and takes action. However, in the case of a SAML attack, the hacker has a forged token equivalent to a master key, so when they enter various services, they leave only traces that are the same as a legitimate user, making it much more difficult to detect.



When Harris complained to his superiors about the dangers of SAML attacks, his superiors told him to talk to

the Microsoft Security Response Center (MSRC), which deals with security issues within Microsoft. However, MSRC was chronically understaffed and tended to think about 'how to avoid solving the problem,' so they would often postpone the fix by saying, 'We'll solve it in the next product version.'

Similarly, MSRC refused to address SAML attacks, calling them a non-urgent issue because hackers would need to gain access to on-premise servers before they could exploit the vulnerability. Harris pushed back, saying the issue was serious, but MSRC remained adamant.

So Harris arranged a meeting with product manager Mark Molovchinsky and others to discuss the dangers of SAML attacks from a different angle. Although it would take time to fix the product itself, Harris suggested telling customers to turn off 'seamless single sign-on (seamless SSO),' which allows access to on-premise servers and various cloud services with a single login, to prevent the vulnerability from being exploited.

However, Molovchinsky and his team refused to take action because 'if we publicly acknowledge the danger of SAML attacks, there is a risk that hackers who notice it will exploit it,' and 'if we turn off seamless SSO, there is a risk that customers will leave.' In particular, the latter reason was that turning off seamless SSO would reduce the convenience of federal employees, an important customer, and could hinder future contracts with the Department of Defense and other organizations. At the time, Microsoft was lagging behind competitors such as Apple and was focusing on cloud services to rebuild the company, so contracts with the federal government were particularly important within the company.

'By Microsoft's standards, the slowdown of turning off Seamless SSO and having to authenticate twice was unacceptable,' Harris told the nonprofit media ProPublica. The product group told him that the reason they didn't respond to SAML attacks was that it was a business decision, not a technical one, and 'what they were saying was the opposite of what I was hearing at Microsoft about putting the customer first. They're saying business first,' Harris said.



In 2017, cybersecurity company CyberArk published a blog post about the dangers of SAML attacks, and Harris felt that the possibility of SAML attacks being exploited in the wild was increasing.

However, despite repeated appeals to Microsoft to fix the problem, MSRC still did not take action, so Harris personally posted a warning about AD FS on LinkedIn and worked with the NYPD, with whom he had a personal connection, to turn off seamless SSO. Matthew Fraser, head of the NYPD IT department, who met with Harris at the time and decided to turn off seamless SSO, commented, 'SAML attacks were identified as a high-severity issue. So we found the best way to isolate the issue and ensure security.'

After repeatedly complaining about the problem of SAML attacks but failing to receive any response, Harris left Microsoft in August 2020 and joined cybersecurity company CrowdStrike . Four months after Harris left the company, a large-scale cyber attack was discovered, and it was reported that, as Harris had feared, vulnerabilities in AD FS had been exploited, resulting in the leaking of confidential information from the federal government and large corporations.

In response to ProPublica's inquiries, Microsoft declined to make officials available for an interview but did not dispute the findings of the investigation. In a statement to ProPublica, Microsoft said, 'Protecting our customers is always our top priority. We prioritize our security response efforts by taking into account potential customer disruption, potential exploits, and available mitigations.'

in Software,   Web Service,   Security, Posted by log1h_ik