Microsoft Azure Cosmo DB, a fully managed NoSQL database for modern app development, was successfully breached. Security company Wiz was able to gain complete and unrestricted access to thousands of Azure customers, including many Fortune 500 companies, via a Jupyter Notebook feature.
The news of the attack was broken by Wiz security researchers, which sent Microsoft’s team into quick action. The team was able to disable the vulnerable feature within 48 hours. In addition, a security redesign is being developed for all the customers.
This security breach comes at the heels of the Solarwind attack last year, which compromised several organisations, including Microsoft.
Cosmos DB to ChaosDB
Some of the world’s biggest and influential businesses use Cosmos DB to manage large amounts of data from the world in almost real-time. Features such as SLA-backed speed and throughput, fast global access, and instant elasticity make it a favourite. It is also one of the simplest ways to store data. Cosmos DB powers critical functions such as prescription transaction processing and managing customer order flow on e-commerce websites.
Attacks on databases have become increasingly common in recent years. This could be linked to more companies moving to the cloud. As the recent exposure reveals, Cosmos DB hasn’t been immune to these breaches either.
Wiz’s team reveals that a series of flaws in Cosmos DB resulted in loopholes that allowed any user to download, delete, and manipulate a large collection of a commercial database. These loopholes also allowed third-party to read/write access to the underlying architecture of Cosmos DB. Wiz team named this vulnerability #ChaosDB.
The Attack
Wiz’s team was able to gain access to customers’ Cosmos DB primary key, which allows them to read, write, or delete access to customer data. To enable customers to visualise their data and create customised views, Microsoft introduced the Jupyter Notebook feature to Cosmos DB. In February 2021, this feature was turned on automatically for all users. However, a series of misconfigurations in this feature rendered it vulnerable to attacks. It allowed for a privilege escalation into other customer notebooks. This meant that an attacker could access primary keys and other sensitive data such as notebook blob storage.
The team then exfiltrated the keys to gain long-term access to the customer assets. This made it possible to control customer Cosmos DB directly from the internet.
While Microsoft was able to disable the Jupyter Notebook feature in a short span of time, some of the customers may still be impacted as their primary access keys may have been exposed. Microsoft communicated only with the affected customers during Wiz’s research period, which did not extend beyond a week. Wiz informed via its blog that Microsoft has notified over 30 per cent of Cosmos DB customers to change their access keys to mitigate the exposure manually.
Credit: Wiz
While Microsoft initially denied the attack, it has now agreed to pay Wiz $40,000 to find the vulnerability and report it. Microsoft said the issue was resolved immediately to protect customers’ safety and privacy in response to a media query. The company also thanked Wiz researchers for ‘coordinated vulnerability disclosure’.
The US government agency, Cybersecurity and Infrastructure Security Agency (CISA) has also taken note of the vulnerability. In an official statement, the organisation said, “Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to secure access to data in Azure Cosmos DB.”
Previous Instances
In December last year, a UK-based app developer, Probase, identified an unsecured Azure cloud database and was able to expose information such as medical records, recruitment data, insurance claim documents, and occupational health assessments. As per The Register, which first broke the story, up to 587,000 files were left in an unprotected Azure Blob. It means that the blob was entirely public-facing, and anyone with the address of the files in it could view them without any authentication.
A more recent incident happened earlier this year. In January, a web privacy and VPN vendor,vpnMentor, discovered a leaky cloud storage blob as part of their web mapping project. It was suspected that Microsoft was the owner of the storage blob in question.
