Microsoft on Thursday confirmed that security researchers gained access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies, such as ExxonMobil and Coca Cola.
What made this breach significant was that it was not caused by a customer misconfiguration. In this case, the provider – Microsoft Azure – was at fault.
Israel-based white hat hackers Wiz informed Microsoft of the issue on August 12 and in a statement Microsoft said it immediately resolved the issue.
“We fixed this issue immediately to keep our customers safe and protected," a Microsoft spokesperson said in a statement to SC Media, noting that there is no evidence of this technique being exploited by malicious actors, that the company is not aware of any customer data being accessed because of this vulnerability, and that customers who may have been impacted received a notification from Microsoft.
"We thank the security researchers for working under Coordinated Vulnerability Disclosure," the spokesperson added.
According to the researchers, the breach hit Azure’s flagship database, Cosmos DB. As a simple and flexible way for developers to store data, Wiz researchers said Cosmos DB runs critical business functions, such as processing millions of prescription transactions, or managing customer order flows on e-commerce sites.
The researchers found a series of vulnerabilities in a Cosmos DB feature that created a loophole that let any user download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB. The Wiz named the vulnerability: ChaosDB.
Wiz customer Jim Routh, chief information security officer at MassMutual, who previously led security teams at Aetna and JPMorgan Chase, said the DevOps evolution has shifted how software gets developed.
“With this comes a fundamental change in accountability for configuring and automating the build process to enhance resiliency for the entire attack surface including data stores that burdens DevOps teams,” Routh said. “This discovery clearly confirms the need for enterprises to improve DevOps configuration management processes with data protection capabilities.”
In doing the research, The Wiz said a series of misconfigurations in the notebook feature opened up a new attack vector they were able to exploit. Essentially, the notebook container created a privilege escalation into other customer notebooks. This meant that attackers could gain access to a customer’s Cosmos DB primary keys. The primary keys allow full read/write/delete access to customer data.
To reduce risk and block future attacks, Microsoft told Azure customers to regenerate the Cosmos DB primary keys that could have potentially been stolen before the vulnerability was disabled by Microsoft.
"This case serves as the latest example of the challenges facing even the largest technology giants in safeguarding user information,” said Pravin Kothari, senior vice president of SASE Products at Lookout. Kothari added that businesses should now recognize that weaknesses even exist in the cloud providers themselves.
“As more businesses migrate to the cloud and employees rely on mobile devices, the crown jewels of sensitive personal and corporate data are getting more difficult to monitor and protect,” Kothari said. “Businesses simply do not have visibility and control over who is accessing their information, when and how. Criminals are also finding it far easier to target the cloud to access and steal boatloads of information.”
Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber, said he first assumed this was another case of cloud user error because some 95% of cloud misconfigurations are caused by users.
“I was surprised to see it was a cloud service provider misconfiguration error,” Bar-Dayan said. That said, “it was no surprise to see how Wiz and Microsoft both acted quickly and responsibly.”