Cybersecurity researchers urge action by Microsoft cloud database users

August 28 (Reuters) – Researchers who discovered a massive flaw in major databases stored on Microsoft Corp.’s Azure cloud platform (MSFT.O) on Saturday urged all users to change their passwords. digital access, not just the 3,300 it reported this week.

As Reuters first reported, researchers at a cloud security company called Wiz discovered this month that they could have accessed the primary digital keys for most users of the Cosmos DB database system, allowing them steal, change or delete millions of records. Read more

Alerted by Wiz, Microsoft quickly fixed the configuration error that would have made it easier for any Cosmos user to access other customers’ databases, and then warned some users on Thursday to change their passwords.

In a blog post on Friday, Microsoft said it warned customers that they had set up access to Cosmos during the week-long search period. He found no evidence that any attacker had used the same defect to access customer data, he noted.

“Our research does not show any unauthorized access other than the research activity,” Microsoft wrote. “Notifications have been sent to all clients who could be potentially affected due to the activity of the investigators,” he said, perhaps referring to the possibility that the technique had leaked from Wiz.

“Although no customer data was accessed, it is recommended to regenerate the primary read-write keys,” he said.

The U.S. Department of Homeland Security’s Cyber ​​Security and Infrastructure Agency used stronger language in a bulletin Friday, making it clear it wasn’t just talking to those notified.

“CISA strongly encourages Azure Cosmos DB customers to roll in and regenerate their certificate key,” the agency said.

Wiz experts, founded by four veterans of Azure’s internal security team, agreed.

“In my opinion, it’s really hard, if not impossible, to completely rule out someone using it before,” said one of the four, Wiz technology manager Ami Luttwak. At Microsoft he developed tools for logging security incidents in the cloud.

Microsoft did not give a direct answer when asked if it had full records during the two years the Jupyter Notebook feature was misconfigured or had used another way to rule out access abuse.

“We have expanded our search beyond the activities of the researcher to look for all possible activity for current and similar events from the past,” said spokesman Ross Richendrfer, who declined to address other issues.

Wiz said Microsoft had worked closely with her on the investigation, but did not say how she could be sure previous customers were safe.

“It’s terrifying. I really hope no one but us has found this mistake,” said Sagi Tzadik, one of the project’s lead researchers at Wiz.

Report by Joseph Menn in San Francisco; Edited by Richard Chang

Our standards: the principles of trust of Thomson Reuters.