Urgent Action By Microsoft To Protect Cloud Users
Researchers at the Israeli cloud security startup company, Wiz, have discovered a massive flaw in the main databases stored in Microsoft Corp's Azure cloud platform and have urged all users to change their digital access keys.
Wiz found they could have gained access to the primary digital keys for most users of the Cosmos DB database system, allowing them to steal, change or delete millions of records. Alerted by Wiz, Microsoft rapidly fixed the configuration mistake that would have made it easy for any Cosmos user to get into other customers' databases, then notified some users to change their keys.
Microsoft found no evidence that any attackers had used the same flaw to get into customer data. "Our investigation shows no unauthorised access other than the researcher activity... Notifications have been sent to all customers that could be potentially affected due to researcher activity... Though no customer data was accessed, it is recommended you regenerate your primary read-write keys," Microsoft said in a blog.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) went further, making clear it was speaking not just to those notified. "CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key,"the agency said in a statement.
Experts at Wiz, founded by veterans of Azure's security team, agreed. "In my estimation, it's really hard for them, if not impossible, to completely rule out that someone used this before," said Wiz Chief Technology Officer Ami Luttwak, an ex-employee at Microsoft, where he developed tools for logging cloud security incidents.
When asked if it had comprehensive logs for the two years when the Jupyter Notebook feature was misconfigured, or had used another way to rule out access abuse, a Microsoft spokesman replied "We expanded our search beyond the researcher's activities to look for all possible activity for current and similar events in the past,"
Wiz discovered the vulnerability on 9 August 2021 disclosed the flaw to Microsoft three days later. Within 48 hours Microsoft’s security teams disabled the vulnerable feature.
CERT- CISA: Wiz: Reuters: Brand Equity: Channel Asia: Verdict: Business Hala:
You Might Also Read:
Big Data & Cloud Computing - Concurrent Technologies Of The Digital Revolution: