Microsoft warns thousands of Azure cloud customers about exposed databases

New Delhi: Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete its main database, according to a copy of the email. . Cyber ​​security researcher.

The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team from security company Viz found that it was able to access the keys that control access to databases held by thousands of companies. Wiz’s Chief Technology Officer Ami Lutwak is the former Chief Technology Officer at Microsoft’s Cloud Security Group.

Since Microsoft can’t change those keys itself, it emailed customers on Thursday asking them to make new ones. Microsoft agreed to pay Wiz $40,000 to find and report the defect, according to an email sent to Wiz.

“We immediately fixed this issue to keep our customers safe and secure. We thank the security researchers for working under a coordinated vulnerability disclosure,” Microsoft told Reuters.

Microsoft’s email to customers said there was no evidence that the flaw was exploited. “We have no indication that external entities outside the researcher (vis) had access to the primary read-write key,” the email said.

“It’s the worst cloud vulnerability you can imagine. It’s a long-standing mystery,” Lutvak told Reuters. “It’s Azure’s central database, and we’re unable to access any customer database.” were able to do what we wanted.”

Lutvak’s team discovered the problem, called ChaosDB, on August 9 and reported it to Microsoft on August 12, Lutvak said.

The flaw was in a visualization tool called Jupyter Notebook, which has been available for years but was enabled by default in Cosmos starting in February. After the defect was reported by Reuters, Viz detailed the issue in a blog post.

Lutvak said customers who have not been notified by Microsoft could also have their keys swiped by the attackers, as long as those keys were not changed. Microsoft only told customers whose keys were visible this month while Wiz was working on the issue.

Microsoft told Reuters that “customers who have been affected have received a notification from us,” without elaborating.

The revelation comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers who had infiltrated SolarWinds, who stole Microsoft source code. A large number of hackers broke into Exchange email servers while a patch was being developed.

A recent fix had to be redoed over and over again for a printer flaw that allowed computer takeover. Another exchange flaw last week prompted an urgent US government warning requiring customers to install a patch released months ago because ransomware gangs are now taking advantage of it.

The problems with Azure are particularly troubling, as Microsoft and external security experts are pushing companies to abandon much of their own infrastructure and rely on the cloud for greater security.

But although cloud attacks are more rare, they can be more devastating when they do occur. What’s more, some are never publicized. Read also: Sensex breaks 95 points in early trade; Nifty 16,600. been around

A federally contracted research laboratory tracks all known security flaws in the software and rates them seriously. But there is no uniform system for holes in cloud architecture, so many critical vulnerabilities remain unnoticed to users, Lutvak said. Read also: iPhone 13 series can be launched on September 14, know pre-booking date and other information

Back to top button