Trend Micro discloses 'silent threat' flaws in Azure ML

LAS VEGAS -- Trend Micro unveiled several "silent threat" vulnerabilities in Azure Machine Learning during a session at Black Hat USA 2023 Thursday.

The session, "Uncovering Azure's Silent Threats: A Journey into Cloud Vulnerabilities," covered flaws found in Azure ML, the cloud platform's managed machine learning as a service (MLaaS) product. Trend Micro's findings include two classes of vulnerability: insecure logging of sensitive information and sensitive information disclosure.

In the case of the former, Trend Micro researchers found "five instances of credentials leaking in cleartext on Compute Instances due to insecure usage of open-source components and insecure system design of how the environment was being provisioned," according to the Black Hat session description.

In the second category, researchers discovered an instance of cloud middleware leaking sensitive data from Azure Compute instances via exposed APIs. Trend Micro explained that threat actors could exploit such a vulnerability after gaining initial access to move laterally inside an environment.

Trend Micro senior threat researcher Nitesh Surana, who led the session, told TechTarget Editorial that the goal was to focus on more traditional vulnerabilities that are often hidden in cloud services and are distinct from the higher-criticality cross-tenant bugs organizations more commonly focus on. Moreover, he emphasized that issues like these can exist in other cloud platforms and services as well.

Other session participants included Trend Micro information security specialist Magno Logan and Trend Micro vulnerability and cloud threat researcher David Fiser.

Surana said Trend Micro actually uncovered three classes of vulnerability, but the third class, which was reported to Microsoft in April, had not been definitively fixed yet. And because researchers followed the 120-day disclosure of bugs previously established by Trend Micro's Zero Day Initiative, they decided to drop the third category on the last day of recording for the session, which was presented virtually.

"The third bug class allowed for achieving persistence in Azure Machine Learning environments," Surana told TechTarget Editorial. "One could fetch credentials and tokens from non-Azure environments by generating some logs, which wouldn't be very differentiable from legitimate activity."

Surana said the flaws that were fixed had been patched silently by Microsoft. After Trend Micro reported these issues, he said, researchers had difficulty obtaining information from Microsoft regarding how and when issues were fixed. However, when several reports were closed as "by design," meaning it reflects a built-in feature rather than a bug, Surana said Trend Micro did receive clear feedback explaining why.

A Microsoft spokesperson shared a statement with TechTarget Editorial: "We appreciate the work of ZDI-Trend Micro in identifying and responsibly reporting these vulnerabilities through a coordinated vulnerability disclosure," the spokesperson said. "We have taken steps to protect our customers, and no customer action is needed."

Silent patching of cloud vulnerabilities has been an ongoing issue for infosec researchers, who complain that major cloud providers are failing to properly address and disclose significant bugs in their platforms and services. Microsoft has faced growing criticism from cybersecurity vendors and researchers in recent years: In June 2022, Tenable CEO Amit Yoran slammed the software giant for downplaying and silently patching critical flaws in Azure. And earlier this month, Yoran called out Microsoft again for similar behavior regarding a critical issue in Microsoft Power Platform.

The key takeaway of the session, Surana explained, is that as companies engage cloud-based MLaaS offerings, they should be aware of each platform's underlying security posture. He said end-user organizations should follow defense in depth practices, which will help reduce issues if, for example, a storage account access key is logged in clear text and uploaded to GitHub. If credentials are leaked but the storage account is behind a virtual network, this will mitigate a threat actor's ability to use said credentials.

"This talk is specifically focused on one particular service, but the same principles can be applied to other services as well," Surana said. "It's not a question of if a vulnerability like this gets exploited, but when. You cannot sit on top of a bug if it exists in your environment. You need to do something about it."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.