A British tech researcher, who quit working as a security threat analyst with Microsoft a few months back, has called on his former employer to act speedily to remove links to ransomware on its Office365 platform.
In a tweet sent on Friday, Beaumont said: “Microsoft cannot advertise themselves as the security leader with 8000 security employees and trillions of signals if they cannot prevent their own Office365 platform being directly used to launch Conti ransomware. OneDrive abuse has been going on for years. Fix it.”
He was responding to a tweet from an infosec professional using the handle TheAnalyst, who wrote: “You all have read how #BazarLoader #BazaLoader leads to #ransomware, in particular #conti that doesn’t care that they target healthcare etc?
You all have read how #BazarLoader #BazaLoader leads to #ransomware, in particular #conti that doesn’t care that they target healthcare etc? Does @Microsoft have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days? https://t.co/UxTDYVIXJF pic.twitter.com/uHUxzHRV8W
— TheAnalyst (@ffforward) October 15, 2021
“Does @Microsoft have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days?”
According to the security firm Palo Alto Networks, “BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.”
An overwhelming majority of ransomware attacks only Windows, with an analysis by staff of the Google-owned VirusTotal database last Thursday showing that 95% of 80 million samples analysed — all the way back to January 2020 — were aimed at Windows.
VirusTotal is a site where security researchers can submit any ransomware they find and have it scanned by anti-virus engines to see if it can be identified.
Beaumont said in another tweet: “Before the train of MS employees arrive saying ‘just report it’, try getting them and future ones taken down yourselves. I did. It was a disaster.
Before the train of MS employees arrive saying ‘just report it’, try getting them and future ones taken down yourselves. I did. It was a disaster.
Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365. pic.twitter.com/95Riv0kmDg
— Kevin Beaumont (@GossiTheDog) October 15, 2021
“Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365.”
And he added: “Amusingly MS consume your API and use it to block things on your lists in their security products (I was on the team doing it), but nobody wants to clean up the network. So get screwed, non-E5.”
Beaumont, who has a well-earned reputation as a researcher who is quick to admit faults in his own industry, acknowledged that other technology companies also played a big role in hosting malware.
Quoting a tweet from a Swiss researcher [given below], he said: “And yes, it’s not just Microsoft. Tech companies have got to do better.”
Beaumont said: “There’s somebody in the replies from Microsoft saying when things are detected by Defender, they’re automatically taken down in OneDrive.
“That’s categorically not true, that functionality isn’t there. Microsoft need to have a long, hard look at this problem.”
There you go. Let’s see how long it takes for MS to get those 867 malware sites taken down. I’m crossing my fingers ?
For the record, the oldest active malware site with an age of 19 months is hosted on Sharepoint and serving GuLoader:
— abuse.ch (@abuse_ch) October 16, 2021
He said Bazarloader had moved from Google Drive to OneDrive. “Their content used be taken down from Google Drive almost instantly because, we, Microsoft, reported it to Google. It is still online, days later, on OneDrive despite being reported, because Microsoft is fumbling it. Fix it.”
Asked by Lee Holmes, the principal security architect for Azure Security, whether he had reported this to Microsoft, Beaumont said the Swiss researcher had done so.
“@abuse_ch does, when I worked at MS I also reported them but usually they didn’t get actioned,” he responded.
“I had to do things list send to CERT, get nowhere, send to DSRE, get nowhere, cc in managers etc. O365 has https://abuse.ch takedowns pending for months.”
Beaumont said Microsoft’s attitude towards the presence of malware on its Office365 platform had “been like that for years”.
“@abuse_ch used to message me O365 misuse while I worked at MS, even working there it was a struggle to find people who could remedy issues,” he added.
Had a support case recently where I was trying to request they take down malicious one note. Spent ages trying to tell me how to block an email. ?♂️
— Robert Pearman (@titlerequired) October 15, 2021
Holmes then defended Microsoft, saying: “I was involved in the abuse reporting pipeline for Azure Storage, and can tell you that almost 100% of the Twitter threads calling out malicious content had never reported those URLs to Microsoft. MS does actively seek out malicious URLs as well, but no system has 100% visibility.”
To which @abuse_ch responded: “I have applied for access for their anti abuse API 2y ago, never got a response. Managers ask me to fill out forms for reporting abuse (seriously?). There is no way to signal phishing sites to MS SmartScreen. Yes, this is 2021!”
Holmes then provided an URL for what he said was access to the API in question, and said: “If that fell into a black hole, then let’s get that fixed 🙂 There is API access so that you don’t have to do anything manually.”
@abuse_ch replied; “There you go. Let’s see how long it takes for MS to get those 867 malware sites taken down. I’m crossing my fingers Crossed fingers. For the record, the oldest active malware site with an age of 19 months is hosted on Sharepoint and serving GuLoader”.
INTRODUCING ITWIRE TV
iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.
We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.
In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.
We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.