Customer Advisory for Awareness | Azure Cosmos DB Flaw Could Allow for Complete Database Compromise

By Deepwatch, 

Key Points:

• A Cloud infrastructure security team discovered a significant flaw in Microsoft’s Azure Cosmos database.
• Fortune 500 companies use cosmos DB to manage massive amounts of data that may include sensitive company data.
• Exposure of the flaw started in February 2021 for all Cosmos DBs and is trivial to exploit and requires no other credentials.
• To mitigate this flaw, customers must manually rotate their access key.

Summary

In a recent blog post by Wiz, a cloud infrastructure security company, and picked up by numerous news outlets to include MSSP Alert, Reuters, The Register, and Bloomberg. Their security research team was able to gain “complete unrestricted access to the accounts and databases of several thousand Microsoft Azure Cosmos database customers, including many Fortune 500 companies.”

Wiz was able to do this because the Cosmos DB has a series of flaws in the Jupyter Notebook feature. Microsoft automatically turned this feature on for all Cosmos DBs in February 2021. However, in Wiz’s blog post, they state that “A series of misconfigurations in the notebook feature opened up a new attack vector that allowed for a privilege escalation into other customer notebooks. As a result, an attacker could gain access to customers’ Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token.”

Once Wiz exfiltrated the keys, they gained long-term access to the customer assets and data with full read/write/delete permissions directly from the internet. 

Microsoft quickly responded after Wiz disclosed the flaws by directly notifying over 30% of Cosmos DB customers and disabling the vulnerable notebook feature. But Wiz warns that “customers may still be impacted since their primary access keys were potentially exposed.”

Deepwatch Threat Intelligence Outlook

In the email that Microsoft sent to Cosmos DB customers, they state, “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key.” Still, Wiz believes that “every Cosmos DB account that uses the notebook feature or that was created after February 2021 is potentially exposed.” This is because threat actors, like ShinyHunters, are always looking for flaws and vulnerabilities to exfiltrate sensitive databases for extortion or sell on underground criminal forums.

Deepwatch urges every Cosmos DB customer to take steps to protect their information by following Microsoft’s guidance for rotating their access keys to mitigate this exposure manually.

Learn more about Deepwatch Managed Detection and Response here.