Ethical Hacking News
Microsoft recently warned its enterprise customers that it lost some customer's security logs for a month due to a bug caused by an issue with their log collection service. The data loss put companies at risk of undetected attacks as the logs included critical security data such as suspicious traffic and login attempts. Microsoft has since resolved the issue, but cybersecurity experts are still raising concerns over the incident.
Micrsoft faced a serious security breach that exposed critical vulnerability issues, resulting in lost customer data for almost a month.The bug was introduced when fixing an issue with Microsoft's log collection service and caused inconsistent logging data between September 2nd and September 19th.Microsoft Entra, Azure Monitor, Azure Logic Apps, and other services were impacted by the issue, affecting security-related logs and events.Azure Trusted Signing also experienced partially incomplete logs, leading to reduced signing log volume and under-billing.Microsoft attributed the bug to a deadlock-condition caused by a change made to their log collection service.The bug was resolved after safe deployment practices were implemented, but some customers did not receive notifications due to the complexity of the issue.
Microsoft, one of the world's leading technology companies, has recently been rocked by a serious security breach that exposed critical vulnerability issues. For almost a month, the company had lost customer data in the form of security logs, leaving many businesses at risk. This was due to a bug that was introduced when fixing an issue with Microsoft's log collection service.
According to recent reports from Business Insider, the initial issue was first reported by the publication earlier this month. It turned out that Microsoft had begun notifying customers that their logging data had not been consistently collected between September 2nd and September 19th. The lost logs included security data commonly used to monitor for suspicious traffic, behavior, and login attempts on a network, which increases the chances of attacks going undetected.
A Preliminary Post Incident Review (PIR) sent to customers and shared by Microsoft MVP Joao Ferreira shed further light on the issue. According to this review, logging issues were worse for some services, continuing until October 3rd. Microsoft Entra was one of the impacted services, with potentially incomplete sign-in logs and activity logs. The review also stated that log data flowing via Azure Monitor into security products such as Microsoft Sentinel, Microsoft Purview, and Microsoft Defender for Cloud were also affected.
Other services impacted by this issue included Azure Logic Apps, which experienced intermittent gaps in telemetry data in Log Analytics, Resource Logs, and Diagnostic settings from Logic Apps. Additionally, Azure Healthcare APIs suffered partially incomplete diagnostic logs, while Microsoft Sentinel faced potential gaps in security-related logs or events, affecting customers' ability to analyze data and detect threats.
Furthermore, Azure Monitor observed gaps or reduced results when running queries based on log data from impacted services. In scenarios where customers configured alerts based on this log data, alerting might have been impacted. The issue also affected Azure Trusted Signing, which experienced partially incomplete SignTransaction and SignHistory logs, leading to reduced signing log volume and under-billing.
Another service that was hit hard by the bug was Azure Virtual Desktop, which suffered from partially incomplete application insights. However, it is worth noting that the main connectivity and functionality of AVD were unimpacted by the issue.
Lastly, Microsoft Power Platform experienced minor discrepancies affecting data across various reports, including Analytics reports in the Admin and Maker portal, Licensing reports, Data Exports to Data Lake, Application Insights, and Activity Logging.
Microsoft attributed the logging failure to a bug that was introduced when fixing a different issue with their log collection service. According to the company, the initial change was made to address a limit in the logging service, but it inadvertently triggered a deadlock-condition when the agent was being directed to change the telemetry upload endpoint in a rapidly changing fashion while a dispatch was underway to the initial endpoint.
This resulted in a gradual deadlock of threads in the dispatching component, preventing the agent from uploading telemetry. The deadlock impacted only the dispatching mechanism within the agent with other functionalities working normally, including collecting and committing data to the agent's local durable cache. A restart of the agent or the OS resolved the deadlock, and the agent uploaded data it had within its local cache upon starting.
There were situations where the amount of log data collected by the agent was larger than the local agent's cache limit before a restart occurred, and in these cases the agent overwrote the oldest data in the cache (circular buffer retaining the most recent data up to the size limit). The log data beyond the cache size limit is not recoverable.
Microsoft says that even though they fixed the bug following safe deployment practices, they failed to identify the new problem and it took a few days to detect it. A statement from Microsoft corporate vice president John Sheehan said that the bug has now been resolved and that all customers have been notified.
However, cybersecurity expert Kevin Beaumont points out that he knows of at least two companies with missing log data who did not receive notifications. This incident comes as a year after Microsoft faced criticism from CISA and lawmakers for not providing adequate log data to detect breaches for free, instead requiring customers to pay for it.
In July 2023, Chinese hackers stole a Microsoft signing key that allowed them to breach corporate and government Microsoft Exchange and Microsoft 365 accounts and steal email. The US government first detected the attacks by using Microsoft's advanced logging data, which were only available to Microsoft customers who paid for the company's Purview Audit (Premium) logging feature.
Due to this, Microsoft was widely criticized for not providing additional logging data for free so that organizations could quickly detect advanced attacks. Working with CISA, the Office of Management and Budget (OMB), and the Office of the National Cyber Director (ONCD), Microsoft expanded its free logging capabilities for all Purview Audit standard customers in February 2024.
Related Information:
https://www.bleepingcomputer.com/news/security/microsoft-warns-it-lost-some-customers-security-logs-for-a-month/
https://techcrunch.com/2024/10/17/microsoft-said-it-lost-weeks-of-security-logs-for-its-customers-cloud-products/
Published: Thu Oct 17 18:27:23 2024 by llama3.2 3B Q4_K_M
