The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that Microsoft’s Azure Cosmos DB vulnerability may have exposed customer data, and it “strongly encourages” all of the cloud database customers to roll and regenerate their certificate keys and review Microsoft’s guidance on securing data.
The CISA warning follows a security disclosure by Wiz, a cloud security startup whose founders built the Microsoft Azure security stack. In a blog post late last week, the Wiz threat team said they discovered flaws in Azure Cosmos DB that allowed any user to download, delete, or change sensitive information in several thousand Azure customers’ commercial databases.
While Wiz said Microsoft deserves “enormous credit” for disabling the vulnerable feature within 48 hours after the threat hunters reported it, “customers may still be impacted since their primary access keys were potentially exposed.” The vulnerability dates back months, if not years, and attackers may have already exploited it, Wiz warned.
In a subsequent blog post on Friday, Microsoft said it had fixed the issue. “Our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers,” the Microsoft Security Response Center team wrote. “We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys.”
The cloud database customers include some of the largest companies in the world: Coca-Cola, Safeway, Johnson Controls, ExxonMobil, Skype, and Rolls-Royce, among thousands of others.
This latest security misstep follows several other high-profile breaches including SolarWinds, Microsoft Exchange, and PrintNightmare, in which hackers did gain access to Microsoft’s customer networks and data. These incidents may bleed into Microsoft’s security market share, Forrester analyst Allie Mellen said.
On the company’s earnings call in January, Microsoft CEO Satya Nadella said its security business surpassed $10 billion over the past 12 months. This represents more than 40% year-over-year revenue growth, which means Microsoft’s security business grew faster than most of its other products and services.
“Microsoft has put a lot of effort over the past 10 years into building their security products, getting strong third-party validation, and starting to establish their brand in the security industry,” Mellen wrote in response to questions. “However, security issues with Microsoft products continue to be a thorn in the side of CISOs, which they don’t forget during the buying process. On the one hand, this is one of the challenges that comes with being the largest software company in the world. On the other, it’s tough to keep up a security-first message when you’re having very public vulnerabilities that impact many organizations.”
She urged Microsoft to be transparent during the security flaw discovery and investigation process. “The best thing they can do is communicate early and often with their customers on what happened, what they are doing to fix it in the short term, and how they will prevent it from happening again in the long term,” Mellen wrote. “This is true for any company, but it is especially true for companies that want to lead the security industry.”