An explanation of Cosmos DB hacking via Jupyter features, source .

This master key allows access to all CosmosDB databases in Microsoft Azure that are set up with this key. This makes a person an administrator with full permissions (read, write, delete) on the database.

On August 26, Microsoft notifie thousands of cloud customers affected by the issue via email. In the message , the company warned its customers that the attacker had the ability to read, modify, and even delete all master databases. Luttwak managed to obtain the master read-write keys, which he used to gain full access to customer databases. Since Microsoft itself cannot change these keys, the company requires its customers to take action and exchange this master key for CosmosDB as a precautionary measure. Although this security hole has been closed, customers should take this step to ultimately prevent possible database compromise. Microsoft further wrote in the message that they have not found any evidence that a third party (other than Wiz) has accessed these keys.

Microsoft faile to notify all customers

Luttwak told Reuters he was critical of Microsoft’s warnings to its customers. The company wrote only to customers whose vulnerable keys were visible in the same month that Wiz discovere and investigate the issue. However, the attackers could have viewe the keys of many more customers because the vulnerability was present when the Jupyter B2B Lead Generation Telemarketing  feature was first release in 2019. Every Cosmos DB account that use the feature was potentially at risk. Starting in February of this year, every newly create Cosmos DB account had the notebook feature enable by default for at least three days, and their primary keys may have been expose. Even if customers were unaware of it and never use the feature.

Because the master key is a persistent secret that doesn’t automatically renew, even if a company turns off Jupyter functionality for Cosmos DB, a potential attacker might still be able to abuse the key once obtaine.

Still, despite Wiz’s criticism, Microsoft did not notify all customers who did turn on a feature called Jupyter Notebooks to Cosmos DB. When aske about this, Microsoft told Reuters only that it had notified potentially affected customers but did not further explain the statement.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency used stronger language in an advisory , making it clear that it’s not just for those customers who have been notifie. But for everyone using Azure Cosmos DB.

“CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys.”

You can find information on how to regenerate your keys

The worst cloud computing vulnerability imaginable

“This was the worst cloud breach you could imagine,” Luttalk said. “This was Azure’s central database, and we were able to gain access to any customer database we wante.”

For European Azure cloud customers with personal data store in Cosmos DB instances, there is also the question of whether a GDPR prevention Sad Life Box notification must be sent to the responsible data protection authority within 72 hours due to a possible security incident.

This Microsoft vulnerability is a nightmare for any company using Cosmos DB. However, due to its popularity, thousands of companies, many of which are global, including Fortune 500 companies, do use Microsoft’s Azure Cosmos DB to manage large amounts of data from around the world in near real time.

And their data is now at risk of being hacke stolen or even delete.

Encryption is all about

To reuce the likelihood of this threat, companies that want to move their data to the cloud have only one option. Encrypt. And when we say encryption, we don’t mean server-side encryption. We mean true end-to-end encryption, where no one — not even the service provider — has access to the secret keys.

The hack of Microsoft’s Azure database demonstrates once again that encryption is our best tool for defending against malicious attackers and keeping our data safe.

When data is store in the cloud, the only way to properly protect that data is with end-to-end encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *