The cybersecurity spotlight hasn’t shifted from Microsoft for most of 2021. The latest in a string of critical security issues is a vulnerability in Microsoft Azure’s flagship Cosmos DB Database.
The exposure, discovered by security company Wiz, impacted thousands of customers hosting their data on the cloud solution, including Coca-Cola, Skype, and Rolls-Royce.
A series of flaws in a Cosmos DB feature allowed anyone to download, delete or manipulate mass collections of commercial databases with both read and write access to the underlying Cosmos DB architecture.
The principal flaw that opened this pathway is linked to a Jupyter Notebook feature used for data vizualization. A series of misconfigurations permitted privileged escalation into customer notebooks which could then lead to the discovery of each customer’s Cosmos DB primary key - allowing full read, write, and delete access to customer data.
Wiz reported the issue to Microsoft’s security team who then disabled the Juptyer feature within 48 hours. Because these primary keys cannot be changed by Microsoft, all impacted customers were urged to create new keys.
This exposure was remediated before it was discovered and exploited by cyber attackers, preventing a potentially catastrophic data breach.
On August 23, another customer database exposure was announced by the UpGuard research team. Faulty default permission settings in Microsoft’s Power Apps exposed 38 million user records including social security numbers, COVID-19 vaccination data, and job applicant data.
Earlier in August, CISA issued an urgent warning about three vulnerabilities facilitating remote code execution on Microsoft Exchange servers.
In July, a Windows print spooler remote code vulnerability, if exploited, would have allowed attackers to run arbitrary codes with system privileges to install malicious programs, delete data, or create new accounts with full user rights.
And in December 2020, Solarwinds hackers accessed Microsoft’s source code repositories for its Azure, Intune, and Exchange components.
These exposures highlight the complexity of securing a cloud environment. Because the transition to cloud technology is necessary to maintain a competitive advantage, the future of data security depends upon a reliable defense for this multiplex attack surface.