Microsoft’s Cloud Misconfiguration Blunder May Have Cost Them 63 GB of Sensitive Data

Source code and product pitches made to Microsoft in 2016, and stored on Azure storage blob were exposed and possibly breached due to misconfigured security of the cloud environment. Microsoft is yet to own the slip-up.

A treasure trove of sensitive internal company data was exposed to the open web, thanks to yet another misconfigured cloud environment. Web privacy and VPN vendor vpnMentor discovered the leaky cloud storage blob in January 2021 as part of their web mapping project through which it keeps a tab on any unsecured data stores that may contain any sort of information.

Going by vpnMentor’s assessmentOpens a new window , Microsoft may be the owner of the storage blob in question. Even as the Redmond-based IT giant failed to confirm whether or not the storage blob was in fact theirs, vpnMentor is fairly certain that they are, based on an unnamed journalist’s tip that Microsoft claimed that the cloud storage account was a ‘demo’.

vpnMentor’s disclosure to Microsoft came just a day after KPMG denied the ownership of the storage blob on January 11. One of the ‘Big Four’, the professional services company was contacted as one of its subsidiaries AdoxioOpens a new window ‘s data resided in the unsecure cloud. Following KPMG’s response, vpnMentor got in touch with Microsoft but all they got as response were automated replies.

And when they finally did, the Windows vendor had referenced and acknowledged a flaw in its software, instead of the misconfiguration itself. It seems Microsoft refrained from taking the ownership of the highly sensitive nature of what would possibly be a devastating breach, provided a black hat got to the unsecure files. But there’s no way of knowing that unless the data pops up on a dark web forum for sale.

“In its response, Microsoft failed to acknowledge the data breach or claim responsibility,” stated the vpnMentor research team led by Noam Rotem, who discovered the exposed data. “As a result, we have no way to verify whether the file belongs to Microsoft.”

Here, the term ‘unsecure’ refers to any database, storage, or any cloud or other online environment that is unencrypted and is not password protected. And a storage blob is Microsoft Azure’s object storage solution leveraged by organizations to store sizable chunks of unstructured data.

See Also: Survey Reveals Why Cloud Security Risks Are Justified

What Was Exposed?

According to vpnMentor, over 3800 files amounting to a total of 63 GB data were exposed due to the misconfigured cloud storage. The data is from January to September 2016, so it is relatively old. However, the content of these files includes highly sensitive organizational data including intellectual property (IP) of some big  companies.

Exposed data pertains to the outlines of enterprise software products, business pitches, product descriptions, product code, hardcoded passwords, etc. Most of this data is from companies such as computer software vendor AdobeOpens a new window , KBMG-owned Canadian consulting firm Adoxia and more, which may have pitched Microsoft for a role in the development of Microsoft DynamicsOpens a new window .

Launched in November 2016, Microsoft Dynamics as we know it was pieced together from several independently developed applications by multiple companies. Revenue from its product line of enterprise resource planning (ERP), customer relationship management (CRM), and other business tools surged 26% in Microsoft’s quarterly FY21 Q3 resultsOpens a new window .

Before its launch, Microsoft was possibly pitched by hundreds of companies aiming to be a part of the suite of intelligent business and enterprise software products. All these ideas were stored by Microsoft on a cloud storage blob, although it is unclear whether the Azure blob was misconfigured right from the beginning or was weakened some time after 2016.

Nevertheless, vpnMentor found that up to 100 such pitches were exposed. Package Deployer, one such idea which was adopted, is also stored on the exposed Azure storage blob. Strategic partnerOpens a new window  Adobe’s presentation to Microsoft, which was also exposed, is given below:

Presentations usually accompany demos of the product being pitched. That’s why at least 10-15 source codes of different software products were  part of the storage blob. “An exposed source code makes it much easier for hackers to find vulnerabilities in a product or database and gain access to highly sensitive areas which data security protocols would typically protect,” explained vpnMentor.

This basically means that if any threat actor manages to get their hands on any of the source code(s) in use, then that particular internet-facing application is at risk of easily being compromised. Possible scenarios include data theft and remote takeover of the app through vulnerabilities discovered within the source code.

It also risks the possibility of threat actors infiltrating with malware, trojan or a virus of any kind, which if the application is part of a larger organizational network, could compromise the network as well.

The at-risk Microsoft Azure Storage Blob was secured in February, more than a month after the disclosure by vpnMentor.

Cloud Misconfigurations

Cloud was already a booming industry even before the outbreak of the novel coronavirus in December 2019. Its adoption has since skyrocketed with an increasing number of enterprises, and small and medium sized businesses taking a second look at their strategy going forward. Gartner estimatedOpens a new window that the global public cloud spending will surge to $304.9 billion in 2021, up 18.4% from $257.5 billion in 2020.

CloudCheckr’s recently released Cloud Infrastructure ReportOpens a new window also highlights that nearly two thirds (64%) of companies expect to fully become cloud-native by migrating business operations to the public cloud within five years. Tim McKinnonOpens a new window , CEO at CloudCheckr saidOpens a new window , “Now is the time for IT organizations to define the right strategies to utilize the full potential of the cloud and for cloud service providers to enhance their capabilities to lead their customers through cloud transformations.”

He goes on to assert however, that “Migrating to the cloud is only the first step. It’s up to organizations to adopt the right technology and form teams — be it internally or externally — to develop and manage cloud strategy, governance, and best practices.” This includes security of the cloud environment.

Alas, security remains neglected, due to which nearly one in four cloud violations were found to be a direct result of poor cloud configurations, according to an Accurics report. Misconfigurations in the cloud resulted in the exposure of a whopping 33.4 billion data records in 2018 and 2019, DivvyCloud by Rapid7 foundOpens a new window , costing organizations approximately $5 trillion.

Some of the companies that accidentally exposed cloud data through a misconfigured cloud environment are:

• Pharma company Pfizer: A misconfigured cloud storage bucket exposed personally identifiable information (PII) data, including call and chat transcripts of hundreds of patients.
• Dating site MeetMindful: ShinyHunters leaked data of 2.28 million users of MeetMindful, possibly obtained through misconfigured storage buckets. Data included names, email addresses, location (city, state, and ZIP code details), body details, dating preferences, marital status, birth dates, latitude and longitude, IP addresses, and bcrypt-hashed account passwords (hack-resistant passwords that leverage bcrypt hashing).

Jon HelmusOpens a new window , Former manager of Pentest Community at Cobalt, wrote for Toolbox on how misconfigured S3 buckets on Amazon are increasing day-by-day. “From the U.S. Department of Defense to Big Tech and beyond, so many organizations fall victim to misconfigured S3 buckets, which can cause a ripple effect of disastrous issues, like putting your organization’s and your customers’ sensitive data at risk,” Helmus said. “Misconfigurations are on the rise in the cloud market, and businesses must be first and foremost aware of the root causes of S3 breaches and vulnerabilities, lest they face the same fate.”

S3 or Simple Storage Service is Amazon’s equivalent of Microsoft Azure Blob, and Google Cloud Storage.

See Also: Amazon S3 Bucket Misconfigurations: Top Two Causes & How to Combat Them

How to Prevent Misconfigured Clouds?

First off, the responsibility of securing cloud environments lies with the customer. Why? Because it is a managed service. To put things into perspective, four of the biggest cloud service providers viz., AWS, Microsoft Azure, Google Cloud, and Alibaba Cloud have had two security breaches in their services over the past five years combined.

At the same time, those who leveraged cloud services by any of the four providers faced more number of security risks. The reason is simple. Security of a managed service also needs to be managed by the one availing the service.

It should be noted, however, that this particular discovery of the misconfigured Azure storage blob by vpnMentor is clearly the case of negligence on part of Microsoft, which is both the provider and user of the service.

Accurics suggests that  security as a default approach to cloud is  key to maintaining a threat-free internet-facing environment. The company also recommends the following:

• Improve communication between Dev, Sec, and Ops teams.
• Prioritize audits of the runtime environment for lax policies around resource accessibility.
• Maintain good data hygiene between production and pre-production environments.
• Leverage Infrastructure as Code (IaC) for improved repeatability, consistency, and speed of provisioning processes. 
• Integrate Policy as Code tools within the development process to automate enforcement of security policy in development pipelines.
• Drift as Code (DaC) capabilities can help to ensure IaC is synchronized with the runtime configuration.
• Remediation as Code (RaC), complete with developer supervised review and approval, could reduce the MTTR.

Closing Thoughts

Amidst the rush to the cloud by organizations, security is either overlooked or IT decision-makers aren’t fully aware of the security implications. Either way, securing clouds needs to be a holistic team effort with involvement of all entities in each individual cloud implementation, and  it can never be a one-off event but a constantly evolving process.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!