It was found that Microsoft Azure's flagship Cosmos DB database was vulnerable to access from security firm Wiz. They had been able to access keys that controlled access to databases held by thousands of companies.
The company warned thousands of its cloud computing customers, including some of the largest companies on earth, that users could be able to read, edit or even delete their main databases, according to the email and a cyber security researcher.
It was found that Microsoft Azure's flagship Cosmos DB database was vulnerable to access from security firm Wiz. They had been able to access keys that controlled access to databases held by thousands of companies. A former CTO at Microsoft's Cloud Security Group, Ami Luttwak is the Chief Technology Officer of Wiz.
The message instructed customers to reset their keys since Microsoft cannot do it alone. According to an email Microsoft sent to Wiz, it took Wiz four days to find the flaw and report it. Microsoft agreed to pay Wiz $40,000 in compensation for finding the flaw and reporting it.
In a statement to Reuters, Microsoft said: "We fixed this issue immediately to keep our customers safe. We thank the security researchers who worked under coordinated vulnerability disclosure."
According to Microsoft's email to customers, there was no evidence the flaw had been exploited. "We don't believe external entities outside the researcher (Wiz) have access to the primary read-write key," it stated.
The cloud vulnerability, Luttwak told Reuters, is the worst cloud vulnerability that anyone could imagine. It is a secret that has lasted a long time. The centralized database of Azure was compromised. We were able to gain access to any customer database we desired."
According to Luttwak, the problem was discovered by his team on Aug. 9 and notified Microsoft on Aug. 12.
The weakness was found in Jupyter Notebook, a visualisation tool that has been available for years but was only enabled by default in Cosmos in February. Wiz highlighted the problem in a blog post after Reuters reported on it.
Even clients who have not been contacted by Microsoft may have had their keys swiped by attackers, giving them access until their keys are changed, according to Luttwak. When Wiz was working on the problem, Microsoft only informed customers whose keys were displayed this month.
"Customers who may have been impacted received a notice from us," Microsoft told Reuters, without going into further.
Microsoft has been plagued by negative security news for months. The same alleged Russian government hackers that hacked Solar Winds and stole Microsoft source code broke into the firm. Then, while a fix was being prepared, a large number of hackers hacked into Exchange email servers.
A recent patch for a printer vulnerability that permitted computer takeovers had to be completed many times. Another Exchange weakness was discovered last week, prompting the US government to issue an urgent warning that consumers must install updates provided months ago because ransomware gangs are already abusing it.
Problems with Azure are especially concerning because Microsoft and other security experts have been urging businesses to ditch much of their on-premises infrastructure in favour of relying on the cloud for increased protection.
Cloud attacks, on the other hand, are more unusual, but they can be more catastrophic when they come. Furthermore, some are never made public.
All known security weaknesses in software are tracked and rated by a federally contracted research group. However, because there is no similar system for detecting flaws in cloud architecture, many important vulnerabilities remain unknown to users, according to Luttwak.
May you also visit our Education Website: IQ Curator
Thank you for your precious time reading our blog. We hope you learned something new from this blog.
