Customers were warned that threat actors could even delete their main database by exploiting a vulnerability in Microsoft Azure’s flagship Cosmos DB database that has been named ChaosDB.
The alleged flaw was unearthed on August 9 by a team of security researchers, who found that they could get hold of keys that unlock access to databases belonging to thousands of businesses. The researchers are employed by security company Wiz, which was reportedly paid $40,000 by Microsoft for detecting and reporting the serious vulnerability.
Microsoft told Reuters: “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure.”
However, Reuters reports that Microsoft was not able to immediately fix the issue itself, as the company cannot make changes to customers’ keys. Instead, Microsoft emailed its cloud computing customers yesterday and instructed them to cut new virtual keys.
In its email to customers, Microsoft said: “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key.”
But the severity of the vulnerability was apparent to Wiz chief technology officer Ami Luttwak. The former CTO at Microsoft’s Cloud Security Group said: “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
In a blog post dedicated to the discovery, Wiz stated that its researchers “were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies.”
Luttwak warned that the flaw, which was found lurking in a visualization tool called Jupyter Notebook, may have impacted additional Microsoft customers who have not been notified, since the company only emailed customers whose keys were visible in August.
Camille Charaudeau, vice president of product strategy at CybelAngel, commented that the flaw met all the conditions for “a proper ransomware attack.”