Technology giant Microsoft has advised thousands of cloud computing customers enrolled for Azure services, including numerous companies on the Fortune 500 list, that a vulnerability has rendered their confidential data completely exposed during the last two years.
What is the problem?
A vulnerability in the database of Microsoft product Azure Cosmos DB has now left over 3,300 of its Azure cloud computing customers susceptible to attack, with threat actors able to gain unrestricted access to systems and data. The vulnerability was first introduced two years ago when the technology multinational added a new data visualisation feature to Cosmos DB, known as “Jupyter Notebook”. This feature was then turned on automatically by default in February this year for all active Cosmos DB databases.
A current listing of clients to have adopted Azure Cosmos DB includes major companies like Liberty Mutual Insurance, Coca-Cola, Walgreens and ExxonMobil.
How was the vulnerability discovered?
The cybersecurity flaw was identified by the cloud infrastructure security firm, Wiz Chief Technology Officer (CTO) at the company, Ami Luttwak, commented on his team’s findings.
“This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
According to Reuters, Microsoft paid the security company a total of $40,000 for its discovery but also conducted its own forensic investigation, which involved examining data logs to uncover any similar activity or events in the present or past.
While the potential risks involved are considerable, Microsoft has stated it has yet to witness evidence of the security weakness leading to any illegal access. A spokesperson for the Redmond-based company commented in a statement emailed to Bloomberg L.P.:
“There is no evidence of this technique being exploited by malicious actors. We are not aware of any customer data being accessed because of this vulnerability. Our investigation shows no unauthorised access other than the researcher activity.”
Wiz detailed the vulnerability in a recent blogpost, stating that the security flaw enabled its researchers to obtain access to the specific primary keys securing Cosmos DB databases for customers of Microsoft. With these keys, it had complete write, read and delete access to private data held by thousands of Azure customers.
What protective steps can I take?
If companies with extensive access to resources and expertise such as Microsoft can be found to have vulnerabilities, the likelihood of smaller vendors being able to supply enterprises with a secure solution drops dramatically.
That’s why at Galaxkey we’ve created a platform that puts firms in control of their own security. In a hosted environment of your own, you’ll never need to depend on a third party to manage your keys, ensuring your systems and data are well-protected. Our platform has zero backdoors for hackers to exploit and no passwords are ever stored, avoiding vulnerabilities.
Contact our team today to ensure you don’t fall victims to insufficient security measures. We invite you to experience a free 14-day trial of our system.