The appetite among enterprises to use cloud services, and the rising popularity of cloud-first and cloud-only environments, is behind a steady increase in the number of services being made available in-market.  

As cloud migration and adoption continues in earnest, one would expect that trend to continue for the foreseeable future.

Already, the trend is boosting the financial results of major cloud providers like Microsoft, where cloud revenue accounted for 51.4% of the company’s total revenue in 2022.

But it also carries with it some security implications, in addition to revenue and strategic implications, that need to be addressed.

Organisations are broadly aware of the kinds of security risks that operating in the cloud may present. They use a mix of cloud security strategies, policies, processes, best practice and technology, to safeguard their cloud computing environments, applications, data, and information. 

But this mix needs to be both flexible and mature to counter an increasing number of threats that have accompanied the growth in availability and use of cloud services. 

Drilling into Azure and 365 vulnerabilities

In the three years we’ve been collecting data about vulnerabilities impacting Microsoft Azure and Dynamics 365 cloud services, numbers have risen dramatically. 

For Microsoft, cloud services represented the largest gain in vulnerabilities across their product suite year-on year between 2021 and 2022; that’s both in the number of vulnerabilities (70) and the percentage increased (159%).

Given the broad range of products Microsoft Azure and Dynamics 365 now covers, this increase might not be a huge surprise; however, what may surprise enterprise administrators is that one particular tool seems to have accounted for the majority of the vulnerability growth: the Azure Site Recovery VMware to Azure tool. By itself, it accounted for 80 of a total 114 vulnerabilities in 2022.

Given this tool is part of a disaster recovery service that can automatically fail-over workloads to a secondary location when a problem is detected, it is equally concerning and reassuring to see so many vulnerabilities being remediated.

The majority of the Azure Site Recovery vulnerabilities were categorised as Elevation of Privilege and seem to share a root cause of SQL injection (SQLi). The fact that SQLi has been in the OWASP Top 10 list for years, which charts the most common issues in web application security, serves as a timely reminder that we need to learn the lessons of the past on technologies we, as enterprises, adopt today and into the future.

Attacks are becoming more complex

Our research shows Elevation of Privilege vulnerabilities across the Microsoft suite of products – not just limited to cloud services – skyrocketed to 715 in 2022, a 22% increase over 2021, and a whopping 689% increase since 2017.

One of the reasons for this growth is that privilege escalation is more critical than ever as a tool for attackers.

Over the past decade, we’ve observed a general trend in the Microsoft ecosystem in which the risks and worst-case scenarios associated with individual vulnerabilities have decreased. So while the overall Microsoft attack surface is expanding with cloud services, the vendor is doing a better job at minimising the most dangerous types of development errors.

Having fewer critical vulnerabilities means attackers have fewer easy paths to totally compromise a system in one move. They may need to instead chain multiple, less severe exploits together to gain code execution, elevate privileges, and move around the network.

From a defender’s point of view, this is a good thing because it requires a higher level of attacker skill and reduces the number of possible adversaries. It also provides more potential points to detect, intercept, and mitigate a breach. If an attacker needs to chain three or more vulnerabilities together to reach their objective, then you just need to have mitigated or patched one of them to break the chain.

That being said, an attacker’s objective remains unchanged: they want to get their code to run, and they want it to be able to run with enough privileges that they can execute their malicious intent.

Successful mitigation approaches

A beacon of light for defenders is that the fundamental ways to mitigate security risks posed by Microsoft vulnerabilities have remained constant for well over a decade.

Organisations who successfully implement proactive and preventative security controls will continue to be well-placed in an Azure-based world.

In particular, organisations should implement vulnerability management and patch against vulnerabilities as soon as practicable, ensure their operating systems and third-party software is up-to-date, secure remote access pathways and stay vigilant against threats.

Additionally, successful organisations enforce least privilege such as by removing local admin rights on endpoints, and following least privilege practices in the cloud. Without admin rights or excess privilege many of the risks of a vulnerability being exploited are mitigated even if it’s unpatched. Removal of admin rights on Windows has historically mitigated 75% of Microsoft’s critical vulnerabilities, and also as a core part of zero trust security models can help break multiple points in the attack chain.