Skip to main content
close search
site logo
Dive Brief

Azure flaw exposes enterprise databases, raising questions on cloud security

Published Aug. 30, 2021
David Jones's headshot
Reporter
A lit Microsoft log seen above a group of people in shadow.
Jeenah Moon via Getty Images

Dive Brief:

  • Microsoft is urging its Azure customers to take mitigation steps to close a loophole in the company's flagship Cosmos DB service identified by security researchers. The security gap exposed sensitive database information belonging to thousands of companies, including many in the Fortune 500
  • Researchers at Wiz, a cloud security startup, found a series of flaws that allowed unfettered access to the accounts and databases of several thousand Azure customers, according to a blogpost by the firm. The misconfigurations could allow an attacker to download, manipulate or delete information in the databases or gain read/write access to the underlying architecture found in the Cosmos DB service. 
  • Microsoft notified more than 3,300 Azure customers about the misconfiguration. The Cybersecurity and Infrastructure Security Agency (CISA) urged customers to roll and regenerate their certificate keys and read further guidance from Microsoft.

Dive Insight:

Wiz researchers say the flaw dates back to 2019, when Microsoft added a feature called Jupyter Notebook to the Cosmos DB, which allows customers to visualize and create customized views of their data. In February, the feature was automatically turned on by default and a number of misconfigurations allowed researchers to escalate their privileges and gain access to customers' primary keys in Cosmos DB. 

By gaining escalated privileges, an attacker could then get full permission to read, write and delete customer data directly from the internet. 

Wiz researchers first exploited the bug on Aug. 9 and notified Microsoft on Aug. 12. The vulnerable feature was disabled by Aug. 14. 

"Microsoft is one of the top three public cloud providers, and this is an unprecedented vulnerability in terms of scale and potential impact — it would be catastrophic if exploited," Ami Luttwak, co-founder and CTO at Wiz, said via email. "Imagine hackers being able to download databases from some of the world's biggest businesses, containing millions of sensitive records."

Microsoft officials said there was no evidence of this technique being exploited by malicious actors and the company was not aware of any customer data being accessed because of the vulnerability. 

"We fixed this issue immediately to keep our customers safe and protected," a Microsoft spokesperson said via email. The spokesperson also thanked security researchers for working under the Coordinated Vulnerability Disclosure system. 

Industry executives said the incident should serve as a warning about how to properly secure cloud data. 

"Microsoft's warning should serve as a wakeup call for organizations relying solely on their cloud provider for security," Gary Ogasawara, CTO at Cloudian. "They must take matters into their own hands to safeguard their data, most importantly protecting it at the storage layer."

Organizations should encrypt cloud data to prevent cybercriminals from being able to read it or make it public, Ogasawara said. Additionally, immutable backups should be made to prevent cybercriminals from altering or deleting data and allow data to be recovered in case of a ransomware attack. 

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell