Pages

Friday 27 August 2021

Microsoft warns its cloud customers that their data may have been leaked: Flaw left system used by Coca Cola, Exxon-Mobil and other major firms exposed

 Microsoft has warned thousands of its online cloud customers - including Fortune 500 firms like Coca-Cola, Exxon-Mobil, and Citrix - that their data may have been exposed to intruders. 

The company revealed a major flaw in its flagship Azure Cosmos DB database service on Thursday, which could allow hackers to read, change or delete data saved in the cloud, according to an internal email and a cyber security researcher. 

That flaw was discovered by a research team at the security company Wiz, who discovered it was able to access keys that control access to databases held by thousands of companies. 

'This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,' Wiz co-founder Ami Luttwak told Reuters. 'This is the central database of Azure, and we were able to get access to any customer database that we wanted.' 

Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz. Azure Cosmos DB is Microsoft's flagship software. Further details on what firms like Coke and Exxon use the software for have not been shared, but it is often used to manage prescription transactions, or managing flows of customer orders. 

Microsoft faced a major set back on Thursday when it was revealed that their cloud computing service had a major flaw that left its customers' information vulnerable to hackers

Microsoft faced a major set back on Thursday when it was revealed that their cloud computing service had a major flaw that left its customers' information vulnerable to hackers

Microsoft CEO Satya Nadella
Wiz co-founder Ami Luttwak

Wiz co-founder Ami Luttwak, right, and his team warned Microsoft of the vulnerability on August 12. Pictured to the right, Microsoft CEO Satya Nadella

Fortune 500 companies like Coca-Cola, whose Atlanta HQ is pictured above, were left vulnerable due to the flaw in the Microsoft's Azure cloud system

Fortune 500 companies like Coca-Cola, whose Atlanta HQ is pictured above, were left vulnerable due to the flaw in the Microsoft's Azure cloud system

Microsoft said it had no immediate comment. 

Microsoft's email to customers said it has fixed the vulnerability and that there was no evidence the flaw had been exploited. 'We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,' the email said. 

Because Microsoft cannot change the access keys by itself, it emailed the customers Thursday telling them to create new ones. 

Luttwak, a former chief technology officer at Microsoft's Cloud Security Group, said the flaw could have had serious effects. 

Luttwak's team found the problem, dubbed ChaosDB, on August 9 and notified Microsoft August 12, Luttwak said.

The flaw was in a visualization tool called Jupyter Notebook, which has been available for years but was enabled by default in Cosmos beginning in February. After Reuters reported on the flaw, Wiz detailed the issue in a blog post.

Luttwak said even customers who have not been notified by Microsoft could have had their keys swiped by attackers, giving them access until those keys are changed. 

Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue.

Microsoft's flagship Azure cloud service holds the data of thousands of customers. Its access keys were left vulnerable and could have allowed hackers to access customer's databases

Microsoft's flagship Azure cloud service holds the data of thousands of customers. Its access keys were left vulnerable and could have allowed hackers to access customer's databases

The disclosure comes after months of bad security news for Microsoft. 

The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code.

Then a wide number of hackers broke into Exchange email servers while a patch was being developed.

A recent fix for a printer flaw that allowed computer takeovers had to be redone repeatedly. 

Another Exchange flaw last week prompted an urgent U.S. government warning that customers need to install patches issued months ago because ransomware gangs are now exploiting it.

Problems with Azure are especially troubling, because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security.

But though cloud attacks are more rare, they can be more devastating when they occur. What's more, some are never publicized.

A federally contracted research lab tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak

No comments:

Post a Comment