A vulnerability in Microsoft’s Azure cloud computing service left several thousand customers susceptible to cyberattacks. The tech giant has warned its clients of the flaw in its flagship database service Cosmos DB after it was discovered and reported by security company Wiz. In the blog post, Wiz has published, it said it was able to use the vulnerability, which it has named “ChaosDB,” to gain “complete unrestricted access to the accounts and databases” of thousands of Azure clients.
Azure customers, including Fortune 500 companies such as Coca-Cola and Exxon-Mobil, use Cosmos DB to manage the massive amounts of data they get in real-time. The company explained that it found a series of flaws in the Cosmos DB feature called Jupyter Notebook that gives customers a way to visualize their data. That feature has been around since 2019, but it was switched on for all Cosmos DB customers just this past February. Wiz said that a series of misconfigurations in the notebook created a loophole, which allows any user “to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”
While the security company praised Microsoft for disabling the notebook within 48 hours after it was alerted about the issue and for notifying around 30 percent of its customers, it warned that more clients may be at risk. Microsoft only notified the customers that were affected during Wiz’s week-long research period this early August. However, the security firm believes the vulnerability has been exploitable for months, possibly even years. It’s now advising Azure customers to rotate and regenerate their access keys even if they didn’t get an email from Microsoft. That said, the tech giant said it found no evidence that the flaw has been exploited. It told the customers it emailed that there’s no “indication that external entities outside the researcher (Wiz) had access to the primary read-write key
As Reuters notes, this is the latest in a series of bad security news for Microsoft over the past year. In February, the tech giant has revealed that the SolarWinds hackers accessed and downloaded source code for Azure, its cloud-based management solution Intune and its mail and calendar server Exchange. The Chinese Hafnium hacking group also exploited a vulnerability in Exchange to infiltrate at least 30,000 organizations around the world, including police departments, hospitals, and banks.