Cybersecurity: Better together
The unfortunate reality in cybersecurity is that we often respond to cyberattacks after they’ve occurred or while they’re ongoing. But recently, I had the opportunity to work with our partners to neutralize a serious security threat that had the potential to affect Microsoft Azure users before an attack might occur. Our security testing partner, NetSPI first noticed the problem within Azure. NetSPI alerted Allscripts to the potential security issue and worked with us to identify the root cause. What we found was troubling.
Essentially, a user with read-only access could have had the ability to run a series of commands to potentially expose Automation “Run-As” credentials for App Registrations in Azure. The credentials could then be used to log in as the App Registration, which typically has higher-level management access and privileges within the system. This type of attack, known as a “privilege escalation attack,” gives bad actors the opportunity to access sensitive data with minimum login credentials. This bug could have been exploited in multiple Azure sites around the world.
As one might expect, Microsoft receives hundreds (if not thousands) of tickets claiming to have found a security threat. Through our strong partnership with Microsoft, Allscripts quickly escalated this issue. On our end, our teams were able to mitigate the issue for our clients by “hiding” the private key information—within eight hours of being notified by NetSPI. Microsoft has since resolved the issue entirely by implementing a global patch on the back end of Azure.
At this time, the incident is considered an “unpublicized vulnerability.” In other words, no one was aware of the issue before it was reported by Allscripts and NetSPI, and no Allscripts clients were exploited by the vulnerability before it was patched.
For me, the events of the last few months have highlighted the importance of having strong cybersecurity partners. While an organization could host Azure on their own, they would miss the benefits of having trustworthy partners such as NetSPI and go without our direct line of communication with Microsoft. The world of cybersecurity is complex, ever-evolving and dangerous to navigate alone. No cybersecurity team is infallible but working with trusted partners can create invaluable opportunities to make the cyber space a safer place.