Thousands of Microsoft cloud customers’ databases exposed

• Security company Wiz discovered a vulnerability in Microsoft Azure that allowed it to read, change or delete the databases of thousands of corporate customers
• The vulnerability is in Microsoft Azure’s flagship Cosmos DB database
• Microsoft’s email to customers said there was no evidence the flaw had been exploited, but it comes after other recent exploits, including on its Exchange email server software

On Thursday, thousands of Microsoft’s cloud computing customers, including some of the world’s largest companies, were informed that intruders could have the ability to read, change or even delete their main databases. According to an email from Microsoft and confirmed by a cybersecurity researcher, the vulnerability was found in Microsoft Azure’s flagship Cosmos DB database.

A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies, as reported by Reuters. It is fair to note that Wiz Chief Technology Officer Ami Luttwak is a former CTO at Microsoft’s Cloud Security Group.

Apparently, Microsoft cannot change those keys by itself, therefore it emailed customers on Thursday telling them to create new ones. The report also claimed that Microsoft agreed to pay Wiz US$40,000 for finding the flaw and reporting it, per an email sent to Wiz.

“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters. Microsoft’s email to customers also stated that there was no evidence the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the email said.

The worst vulnerability in Microsoft’s cloud?

Cloud attacks are often rare and they can be more devastating when they do occur. Many go unpublicized. Problems with Azure are especially troubling, because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security.

Luttwak told Reuters that “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

Apparently, Luttwak’s team found the problem, dubbed ChaosDB, on August 9 and notified Microsoft by August 12. The flaw was spotted in a visualization tool called Jupyter Notebook, which has been available for years but was enabled by default in Cosmos beginning February. After Reuters reported on the flaw, Wiz detailed the issue in a blog post.

Even customers who have not been notified by Microsoft could have had their keys swiped by attackers, Luttwak noted, giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue.

For its part, Microsoft told Reuters that “customers who may have been impacted received a notification from us,” without elaborating. The disclosure comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft’s source code. Then a wide number of hackers broke into Exchange email servers before a patch was hurriedly rolled out.

To top it off, another Exchange flaw last week prompted an urgent US government warning that customers need to install patches — issued months ago — because ransomware gangs are now exploiting it. According to the annual Microsoft Vulnerabilities Report 2021, in 2020 alone a record-high number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase year-on-year (YoY). The number of reported vulnerabilities has risen an astonishing 181% in the last five years (2016-2020).