Microsoft has warned its customers, including the world's largest companies, about the vulnerability found in the Azure cloud platform. Thanks to it, attackers could view, modify and delete confidential databases. This is reported by Reuters and CNBC with reference to a letter that Microsoft sent out to customers.
The vulnerability is located in the flagship Cosmos database Microsoft Azure and was discovered by computer security experts at Wiz. Microsoft thanked the company and promised to pay it $ 40,000 for discovering the vulnerability.
Wiz specialists were able to obtain keys that open access to databases of thousands of enterprises (as noted by the company, including Coca-Cola, Exxon-Mobil and Citrix). Since Microsoft cannot change these keys on its own, it sent customers an email on Thursday asking them to create new ones.
Wiz said the loophole they found theoretically allowed any user to download, delete, or manipulate a huge set of commercial databases. The company noted that Microsoft's security service responded in a timely manner to information about the threat. “We rarely see the security forces act so quickly! They disabled the vulnerable feature within 48 hours after we reported it, ”Wiz said.
As stated in a letter to Microsoft, there is no evidence yet that someone had managed to exploit the vulnerability found. At the same time, Wiz notes that a loophole in the system existed for at least several months, and possibly years.
Wiz CTO Ami Luttwak is a former CTO of Microsoft's Cloud Security Division. “This is the worst cloud vulnerability imaginable,” he told Reuters. Luttwak clarified that Wiz discovered the vulnerability on August 9 and notified Microsoft on August 12. Information about the incident appeared on the Wiz website on August 26, Microsoft's warning to customers became known today.
In December 2020, it became known that hackers, supported by a foreign government, attacked the IT company SolarWinds, whose clients include the Pentagon, the Department of Justice, the State Department, the National Security Agency, the Postal Service, and 425 Fortune 500 companies. citing sources said that the hacker attack also affected Microsoft, which used the SolarWinds software. The Washington Post indicated that hackers gained access to e-mail and stole the correspondence of a certain private company, whose name was not specified. Microsoft itself denies the fact of hacking.
