Azure flaw exposes enterprise databases, raising questions on cloud security

Dive Brief:

Microsoft is urging its Azure customers to take mitigation steps to close a loophole in the company's flagship Cosmos DB service identified by security researchers. The security gap exposed sensitive database information belonging to thousands of companies, including many in the Fortune 500.
Researchers at Wiz, a cloud security startup, found a series of flaws that allowed unfettered access to the accounts and databases of several thousand Azure customers, according to a blogpost by the firm. The misconfigurations could allow an attacker to download, manipulate or delete information in the databases or gain read/write access to the underlying architecture found in the Cosmos DB service.
Microsoft notified more than 3,300 Azure customers about the misconfiguration. The Cybersecurity and Infrastructure Security Agency (CISA) urged customers to roll and regenerate their certificate keys and read further guidance from Microsoft.

Dive Insight:

Wiz researchers say the flaw dates back to 2019, when Microsoft added a feature called Jupyter Notebook to the Cosmos DB, which allows customers to visualize and create customized views of their data. In February, the feature was automatically turned on by default and a number of misconfigurations allowed researchers to escalate their privileges and gain access to customers' primary keys in Cosmos DB.

By gaining escalated privileges, an attacker could then get full permission to read, write and delete customer data directly from the internet.

Wiz researchers first exploited the bug on Aug. 9 and notified Microsoft on Aug. 12. The vulnerable feature was disabled by Aug. 14.

"Microsoft is one of the top three public cloud providers, and this is an unprecedented vulnerability in terms of scale and potential impact — it would be catastrophic if exploited," Ami Luttwak, co-founder and CTO at Wiz, said via email. "Imagine hackers being able to download databases from some of the world's biggest businesses, containing millions of sensitive records."

Microsoft officials said there was no evidence of this technique being exploited by malicious actors and the company was not aware of any customer data being accessed because of the vulnerability.

"We fixed this issue immediately to keep our customers safe and protected," a Microsoft spokesperson said via email. The spokesperson also thanked security researchers for working under the Coordinated Vulnerability Disclosure system.

Industry executives said the incident should serve as a warning about how to properly secure cloud data.

"Microsoft's warning should serve as a wakeup call for organizations relying solely on their cloud provider for security," Gary Ogasawara, CTO at Cloudian. "They must take matters into their own hands to safeguard their data, most importantly protecting it at the storage layer."

Organizations should encrypt cloud data to prevent cybercriminals from being able to read it or make it public, Ogasawara said. Additionally, immutable backups should be made to prevent cybercriminals from altering or deleting data and allow data to be recovered in case of a ransomware attack.