Thursday, May 26, 2022

Slide Slide
Home Cloud Cloud: Microsoft warns its customers of exposed databases

Cloud: Microsoft warns its customers of exposed databases

Problems with Azure are especially troubling, because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security

Including some of the world’s largest companies, Microsoft on Thursday warned thousands of its cloud computing customers that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber- security researcher.

The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Ami Luttwak, Chief Technology Officer of Wiz is a former chief technology officer at Microsoft’s Cloud Security Group.

Microsoft emailed cloud computing customers Thursday telling them to create new ones, as it cannot change those keys by itself. For finding the flaw and reporting it, Microsoft agreed to pay Wiz $40,000, according to an email it sent to Wiz.

“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure”, Microsoft told Reuters.

Microsoft’s email to customers said there was no evidence the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key”, the email said.

“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret”, Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted”.

Luttwak’s team found the problem, dubbed ChaosDB, on 9 August and notified Microsoft 12 August, Luttwak said.

Available for years but was enabled by default in Cosmos beginning in February, the flaw was in a visualization tool called Jupyter Notebook. Wiz detailed the issue in a blog post after Reuters reported on the flaw.

Luttwak said even customers who have not been notified by Microsoft could have had their keys swiped by attackers, giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue.

Microsoft told Reuters that “customers who may have been impacted received a notification from us”, without elaborating.

The disclosure comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code. Then a wide number of hackers broke into Exchange email servers while a patch was being developed.

A recent fix for a printer flaw that allowed computer takeovers had to be redone repeatedly. Another Exchange flaw last week prompted an urgent U.S. government warning that customers need to install patches issued months ago because ransom-ware gangs are now exploiting it.

Problems with Azure are especially troubling, because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security.

But though cloud attacks are rarer, they can be more devastating when they occur. What’s more, some are never publicized.

A federally contracted research lab tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said.

Also readCIO News interviews Shri Wangki Lowang, Minister (IT) of Arunachal Pradesh

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter

About us:

CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.

CIO News also covers the professional journeys of CIOs across all industries through print articles.

khushbu
Khushbu Sonihttps://www.cionews.co.in
Chief Editor - CIO News | Founder & CEO - Mercadeo

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -1x1 banner1x1 banner1x1 banner1x1 banner

Most Popular

Schools and colleges must start building a technologically inclined foundation for students, says Manoj Madhavan, CIO at Blue Dart Express Limited

To anyone looking to begin their careers in information technology or any of its sister streams, my only insight on this front is: opportunities...

Indian Public Cloud market to reach $13.5bn by 2026

To automate processes and drive innovation with public cloud as the foundation, the increased spend is expected to continue as enterprises invest in emerging...

WSO2 Completes $93 Million Series E Growth Funding Round with the Investment from Info Edge

Info Edge, which joins lead investor Goldman Sachs Asset Management in the Series E, provides a strategic contribution to WSO2’s accelerated business expansion across...

I recommend technology leaders to experiment with technology best practises, says Vimal Mani, Head of Information Security, Privacy & IT GRC Programs (CISO &...

A business that needs to transform may use new technologies and knowledge of their customers to devise new products, but real digital transformation means...

Recent Comments