Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm
The unfortunate reality in cybersecurity is that we often respond to cyberattacks after they’ve occurred or while they’re ongoing. But this past year, I had the opportunity to work with our partners to neutralize a serious security threat that had the potential to affect Microsoft Azure users before an attack might occur. Our security testing partner, NetSPI first noticed the problem within Azure. NetSPI alerted Veradigm to the potential security issue and worked with us to identify the root cause. What we found was troubling.
Essentially, a user with read-only access could have had the ability to run a series of commands to potentially expose Automation “Run-As” credentials for App Registrations in Azure. The credentials could then be used to log in as the App Registration, which typically has higher-level management access and privileges within the system. This type of attack, known as a “privilege escalation attack,” gives bad actors the opportunity to access sensitive data with minimum login credentials. This bug could have been exploited in multiple Azure sites around the world.
As one might expect, Microsoft receives hundreds (if not thousands) of tickets claiming to have found a security threat. Through our strong relationship with Microsoft, Veradigm quickly escalated this issue. On our end, our teams were able to mitigate the issue for our clients by “hiding” the private key information—within eight hours of being notified by NetSPI. Microsoft has since resolved the issue (since named “CredManifest”) entirely by implementing a global patch on the back end of Azure, as detailed in this blog post from the Microsoft Security Response Center.
At the time of discovery, the incident was considered an “unpublicized vulnerability.” In other words, no one was aware of the issue before it was reported by Veradigm and NetSPI, and no Veradigm clients were exploited by the vulnerability before it was patched.
For me, this event has highlighted the importance of having strong cybersecurity partners. While an organization could host Azure on their own, they would miss the benefits of having trustworthy partners such as NetSPI and go without our direct line of communication with Microsoft. The world of cybersecurity is complex, ever-evolving and dangerous to navigate alone. No cybersecurity team is infallible but working with trusted partners can create invaluable opportunities to make cyber space safer.