Azure and Microsoft Data Breaches
What’s causing breaches on Azure and Microsoft cloud?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Azure Security | Data Breaches | Cybersecurity
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As with my last post on AWS Data Breaches, I took a look at what breaches have occurred on Azure and other Microsoft cloud systems. Understanding what is causing data breaches helps us take action to prevent future breaches.
Note that some cloud environments may have more available information on CVEs due to the fact that they have bug bounty programs while others do not. However, wide spread outages and required disclosure of sensitive data breaches is quantifiable across cloud platforms. It is easy to track how long a cloud provider was not accessible. It is also easy to understand the scope of vulnerabilities and data exposure reported by third parties who document the incident or by looking at data breach reports.
Microsoft does a good job of providing detailed incident reports that help customers understand breaches and how to protect themselves in the future, and what steps the company is taking to remediate security problems. That said, there have been quite a few major incidents in the past few years. This post focuses on incidents in 2023.
Get an access key from IMDS by way of SQL Injection
Starting the attack, the threat actors would first take advantage of an SQL injection vulnerability in an application on a target’s endpoint…In some cases, the threat actors can run operating system commands…The next step is to try and access the Instant Metadata Service (IMDS) which can give them a cloud identity access key. — October 2023
Iranian Threat Group Hits Thousands With Password Spray Campaign — in some cases leading to data exfitration
An Iranian state-backed APT group carried out a “wave” of cyber-espionage attacks against thousands of global targets over a six-month period, Microsoft has revealed. — September 2023
The group became more sophisticated over time.
In some intrusions, APT33 deployed commercial remote monitoring and management tool AnyDesk to maintain access to a target.
“Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments.”
Microsoft Azure HDInsight Plagued With XSS Vulnerabilities
Microsoft recently patched as many as eight severe vulnerabilities in various Apache services in Azure HDInsight — the software giant’s managed big data analytics service. — September 13, 2023
Microsoft leaked 38TB of sensitive data for three years
It happens to the best of us…Microsoft leaked data through a misconfiguration of their own storage service and was not discovered for three years.
The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository. — September 2023
Cloud data-security firm Wiz issued an advisory on the incident, which it said originated in the use of a Microsoft Azure feature known as a Shared Access Signature (SAS) token. — September 18, 2023
Microsoft has admitted to mistakenly leaking 38 terabytes of private data belonging to its employees, including passwords, private keys and Teams messages. The leak took place in July 2020 and was uncovered earlier this year. — September 2023
Microsoft’s summary of the incident:
BlackCat ransomware hits Azure Storage with Sphynx encryptor
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets’ Azure cloud storage. — September 2023
Microsoft Catches Russian Government Hackers Phishing with Teams Chat App
Using these domains from compromised tenants, the researchers found the hackers using Microsoft Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts. — August 2, 2023
Attackers break into Microsoft mail system
Tech giant Microsoft disclosed on Tuesday evening that it discovered a group of Chinese hackers had broken into some of its customers’ email systems to gather intelligence. — July 12 2023
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations. — July 15, 2023
Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected)
Why a consumer key was able to access enterprise mail
To meet growing customer demand to support both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018. As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation — which key to use for enterprise accounts, and which to use for consumer accounts.
As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected).
“…the threat actor might have been in possession of the signing key for over two years prior to being discovered in June 2023.”
Microsoft noted in July 2023 that “this threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021,” suggesting that the activity may have been underway for nearly two years.
Cloud security firm Wiz subsequently revealed in July that the compromised Microsoft consumer signing key could have enabled widespread access to other cloud services. Microsoft, however, said it found no additional evidence of unauthorized access to applications outside of email inboxes.
The staffer, who attended a briefing by State Department IT officials, said the officials told lawmakers that 60,000 emails were stolen from 10 State Department accounts. Nine of those victims were working on East Asia and the Pacific and one worked on Europe, according to the briefing details shared via email by the staffer, who declined to be named.
SQL injection vulnerability in MOVEit Transfer leads to data breaches worldwide
The attack starts with SQL injection that allows access to an organization’s MOVEit database. While this in itself would be sufficient to extract some data, the main danger comes from a customized LEMURLOOT web shell that is associated with the file human2.aspx, named to mimic one of the legitimate MOVEit files. Once installed, this establishes a back door that allows attackers to access the underlying Azure Storage account, browse available information, and move out data in large amounts. — June 21, 23
Microsoft Azure VMs Hijacked in Cloud Cyberattack
A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients’ cloud environments. — May 18, 2023
Proskauer Data Breach Underscores Hazards of Transitioning to the Cloud
The New York-based law firm said in a statement Tuesday that a third-party vendor who was contracted to set up the cloud site on Microsoft Azure “misconfigured” the site’s security, which left the client data on the site vulnerable to an unauthorized actor and anyone else with access to the internet. — April 12, 2023
Orca Security demonstrates how to escalate privileges using Azure Storage Account keys
From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys. — April 11, 2023
By default, Azure generates two 512-bit storage account access keys for any newly created account. Because these keys are like root passwords for that account, anyone in the possession of these keys can abuse shared key authorization to obtain access to a storage account.
Don’t use that method for authorization to access information in a storage account.
Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks
According to Microsoft, DEV-1084 was seen using an IP address and a VPN provider historically associated with MuddyWater, using tools previously used by the APT, and using a domain believed to be controlled by MuddyWater. Microsoft assesses that Mercury gains access to the targets through remote exploitation of an unpatched internet-facing device.
Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
Tracked as CVE-2023–23383 (CVSS score of 8.2), the bug is described as a cross-site scripting (XSS) issue that could lead to the execution of code on containers hosted on a Service Fabric node. March 31, 2023
XSS can modify Bing Search
A misconfigured Microsoft application allowed anyone to log in and modify Bing.com search results in real-time, as well as inject XSS attacks to potentially breach the accounts of Office 365 users. — March 30, 2023
Microsoft Azure Warns on Killnet’s Growing DDoS Onslaught Against Healthcare
The pro-Russian hacktivist group KillNet, which launches its campaigns against countries supporting Ukraine, is ramping up its daily distributed denial-of-service (DDoS) attacks against healthcare organizations. — March 17, 2023
Misconfigured email server
The U.S. Department of Defense inadvertently leaked thousands of sensitive military emails via a misconfigured email server on the Microsoft Azure government cloud. The exposed email server leaked three terabytes of U.S. Special Operations Command (USSOCOM) internal emails for two weeks.
Microsoft and the U.S. Department of Defense reportedly had a military email server exposed to the open internet. Part of the issue is a U.S. Special Operations Command server that was not password protected, according to Bloomberg. The public accessibility of the server may have been due to a configuration error. But it was unclear if the blame belonged to a Pentagon or Microsoft employee. — February 22, 23
Microsoft outage blamed on networking fault
January 2023
https://gbhackers.com/hackers-azure-ad-abandoned-reply/
Outages
Microsoft has been hit my numerous outages in 2023. The easiest way to see this is to search Google for “Azure Outages” and scroll down.
Microsoft 365 Outages
Teams Outages
Comparatively I only found one major outage for AWS in June doing similar searches, though likely there were individual service glitches over time which can be tracked in the AWS health portal. Overall, however, I have faced many more blocking issues on Azure than AWS. Hopefully, Microsoft will get a handle on these issues.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
