We typically hear stories of leaky storage buckets on the news, but every CISO’s worst nightmare is a stolen primary access key.
Imagine giving complete and unrestricted access to the accounts and databases of several thousand Microsoft Azure customers. Worst yet, imagine giving someone the unprecedented ability to exfiltrate billions of sensitive records – in one fell swoop.
Two weeks ago, that nightmare became a reality. Security researchers from Wiz discovered that Microsoft Azure’s flagship database service, Cosmos DB, had one of the worst security vulnerabilities imaginable, so much so that it’s been dubbed “ChaosDB” nation-wide.
According to Wiz, “a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”
Here’s how it happened.
In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB that allowed users to visualize and create customized views of their data. Since February 2021, this feature has been turned on by default. Misconfigurations in the notebook allowed for “privilege escalation[s] into other customer notebooks,” giving any attacker their heart’s desire, open access to another customer’s primary key – a disaster waiting to happen.
These keys gave full admin access to all data stored in Cosmos DB accounts and allowed for Cosmos DBs to be directly controlled from the Internet with read/write/delete permissions. This vulnerability serves as a catalyst for change, a reminder that having an effective data protection plan in place is more important than ever.
Since then, Microsoft’s Security Team has taken action, disabling the notebook feature within 48 hours of discovery. However, Wiz believes that many more Cosmos DB customers may be affected.
Though it’s unclear how many more customers may be at risk, this vulnerability highlights the importance of monitoring data usage to prevent exfiltration.
For more information on how Dasera can protect sensitive data, no matter who has access, visit www.dasera.com.