The CEO of Tenable just ripped Microsoft a new one. It's bad enough that cloud vulnerabilities rarely get CVEs or any kind of external documentation.

"Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.

In March 2023, a member of Tenable’s Research team was investigating Microsoft’s Azure platform and related services. The researcher discovered an issue (detailed here) which would enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.
Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.

That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t. "

https://www.linkedin.com/pulse/microsoftthe-truth-even-worse-than-you-think-amit-yoran%3FtrackingId=hE4qd2mSSwmpSoVPqfWAAw%253D%253D/?trackingId=hE4qd2mSSwmpSoVPqfWAAw%3D%3D

Well it's been a little while, Tŵters. I've been having my #MentalHealth break from the internet, and it's been amazing. I've read 8 books, and working on more. I've cooked, I've slept, I've visited friends; I've been resting and recuperating.

I'm feeling much better, and hope to be more active now. I hope you are all well, and that this Monday finds you peaceful and happy. x

🚨 We've (@greynoise) also been seeing activity for the recent Citrix ShareFile and Adobe ColdFusion vulnerabilities.

https://viz.greynoise.io/tag/citrix-sharefile-rce-attempt?days=30

https://viz.greynoise.io/tag/adobe-coldfusion-cve-2023-29300-rce-attempt?days=30

https://viz.greynoise.io/tag/adobe-coldfusion-cve-2023-29298-access-control-bypass-attempt?days=30