Researchers who found a huge weakness in the primary databases held in Microsoft Corp’s Azure cloud platform on Saturday advised all users, not just the 3,300 alerted this week, to change their digital access credentials.
According to Reuters, researchers at Wiz, a cloud security startup, found last month that they might have obtained access to the primary digital keys for the majority of Cosmos DB database system users, allowing them to steal, modify, or destroy millions of records. more info
After being alerted by Wiz, Microsoft quickly rectified the setup error that would have let any Cosmos user easily access other customers’ databases, then informed select users Thursday to replace their keys.
Microsoft alerted users who had set up Cosmos access during the weeklong study period in a blog post on Friday. It discovered no indication that any attackers had used the same issue to get access to consumer data.
“Our analysis reveals no illegal access other from the researcher activity,” Microsoft said. “Notifications have been given to any customers who may have been affected as a result of researcher activity,” it stated, possibly referring to the possibility that the method had leaked from Wiz.
“Although no customer data was accessed,” it stated, “it is advised that you renew your primary read-write keys.”
In a bulletin issued Friday, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency adopted harsher wording, emphasizing that it was speaking to everyone, not just those who had been warned.
According to CISA, “Azure Cosmos DB clients are strongly encouraged to roll and regenerate their certificate key.”
Wiz experts agreed, which was formed by four veterans of Azure’s in-house security team.
“In my opinion, it’s extremely difficult, if not impossible, for them to fully rule out that someone utilized this before,” one of the four, Wiz Chief Technology Officer Ami Luttwak, said. He worked at Microsoft, where he created tools for tracking cloud security events.
That asked if it had complete records for the two years when the Jupyter Notebook functionality was misconfigured or had utilized another method to rule out access misuse, Microsoft did not respond directly.
“We broadened our search beyond the researcher’s actions to check for any potential activity for current and comparable occurrences in the past,” spokesperson Ross Richendrfer said, declining to answer further questions.
Wiz stated that Microsoft collaborated extensively with it on the study but failed to disclose how it could be certain that previous clients were secure.
“It’s frightening. “I sincerely hope that no one else discovered this bug,” said Sagi Tzadik, one of the project’s primary researchers at Wiz.
