Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Azure. Show all posts
Vulnerabilities and Exploits
Authentication cloud environment CVE Microsfot Entra ID Microsoft Azure Vulnerabilities and Exploits

Researcher Finds Entra ID Weakness That Could Have Granted Global Admin Access




Two critical weaknesses recently came to light in Microsoft’s Entra ID platform could have given attackers unprecedented control over nearly every Azure cloud customer. The flaws were discovered and reported responsibly, allowing Microsoft to release fixes before attackers were able to exploit them.

Entra ID, previously known as Azure Active Directory, is the identity management system that controls how users log in, what resources they can reach, and who has administrator rights. It is a core service for businesses worldwide, which means any failure in its security could ripple across countless organizations at once.

Dutch security researcher Dirk-jan Mollema, who specializes in cloud identity security, identified the flaws while preparing material for a cybersecurity conference. What he found was alarming: the two vulnerabilities, when combined, created a path for attackers to impersonate users and escalate privileges to the highest level, effectively granting full control of customer environments.

The first weakness involved so-called “Actor Tokens,” a type of authentication token issued by an old Microsoft system known as Access Control Service. These tokens carried unusual privileges that, on their own, posed little risk but became dangerous when chained with a second issue. That second vulnerability was buried in Azure Active Directory Graph, a legacy interface used to access Microsoft 365 data. Unlike its modern replacement, Microsoft Graph, the older system did not properly check which tenant— a customer’s isolated cloud environment was sending a request. By combining the two flaws, attackers could trick the system into accepting tokens from outside tenants, opening the door to total compromise.

With administrator-level access, attackers would have been able to add new privileged accounts, alter security settings, and access sensitive information. Experts warned that such attacks could bypass common safeguards like multifactor authentication and leave minimal traces in activity logs, making them particularly dangerous.

Mollema disclosed his findings to Microsoft on July 14. The company began work the same day, deployed a fix globally within days, and later introduced additional protections. A vulnerability identifier (CVE) was issued in September, and Microsoft confirmed that no evidence of exploitation was found during its investigation.

Security researchers have compared the potential fallout to past incidents where authentication weaknesses enabled large-scale breaches. While the flaws in Entra ID never reached that point, the discovery illustrates how overlooked legacy systems can undermine modern security frameworks.

Microsoft has since retired the affected components and emphasized its commitment to phasing out outdated protocols. For organizations using Entra ID, the incident highlights the need to remain alert to vendor advisories, apply updates quickly, and watch for unusual activity in administrative accounts.

The vulnerabilities may now be closed, but they reveal how hidden dependencies in cloud infrastructure can become high-risk targets. As cloud identity systems continue to expand, the security community will likely scrutinize them even more closely for weaknesses of this scale.


Read more »
Ransom Demands
Azure Cloud Cloud Attacks Cloud Security Cyber Security Data Theft Microsoft Microsoft Azure Ransom Demands

Microsoft Warns Storm-0501 Shifts to Cloud-Based Encryption, Data Theft, and Extortion

 

Microsoft has issued a warning about Storm-0501, a threat actor that has significantly evolved its tactics, moving away from traditional ransomware encryption on devices to targeting cloud environments for data theft, extortion, and cloud-based encryption. Instead of relying on conventional ransomware payloads, the group now abuses native cloud features to exfiltrate information, delete backups, and cripple storage systems, applying pressure on victims to pay without deploying malware in the traditional sense. 

Storm-0501 has been active since at least 2021, when it first used the Sabbath ransomware in attacks on organizations across multiple industries. Over time, it adopted ransomware-as-a-service (RaaS) tools, deploying encryptors from groups such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. In September 2024, Microsoft revealed that the group was expanding into hybrid cloud environments, compromising Active Directory and pivoting into Entra ID tenants. During those intrusions, attackers established persistence with malicious federated domains or encrypted on-premises devices with ransomware like Embargo. 

In its latest report, Microsoft highlights that Storm-0501 is now conducting attacks entirely in the cloud. Unlike conventional ransomware campaigns that spread malware across endpoints and then negotiate for decryption, the new approach leverages cloud-native tools to quickly exfiltrate large volumes of data, wipe storage backups, and encrypt files within the cloud itself. This strategy both accelerates the attack and reduces reliance on detectable malware deployment, making it more difficult for defenders to identify the threat in time. 

Recent cases show the group compromising multiple Active Directory domains and Entra tenants by exploiting weaknesses in Microsoft Defender configurations. Using stolen Directory Synchronization Accounts, Storm-0501 enumerated roles, users, and Azure resources with reconnaissance tools such as AzureHound. The attackers then identified a Global Administrator account without multifactor authentication, reset its password, and seized administrative control. With these elevated privileges, they maintained persistence by adding their own federated domains, which allowed them to impersonate users and bypass MFA entirely. 

From there, the attackers escalated further inside Azure by abusing the Microsoft.Authorization/elevateAccess/action capability, granting themselves Owner-level roles and taking complete control of the target’s cloud infrastructure. Once entrenched, they began disabling defenses and siphoning sensitive data from Azure Storage accounts. In many cases, they attempted to delete snapshots, restore points, Recovery Services vaults, and even entire storage accounts to prevent recovery. When these deletions failed, they created new Key Vaults and customer-managed keys to encrypt the data, effectively locking companies out unless a ransom was paid. 

The final stage of the attack involved contacting victims directly through Microsoft Teams accounts that had already been compromised, delivering ransom notes and threats. Microsoft warns that this shift illustrates how ransomware operations may increasingly migrate away from on-premises encryption as defenses improve, moving instead toward cloud-native extortion techniques. The report also includes guidance for detection, including Microsoft Defender XDR hunting queries, to help organizations identify the tactics used by Storm-0501.
Read more »
multicloud environment
Aviatrix cloud service providers Cyber Security Flexera Google Cloud Platform Microsoft Azure multicloud environment

Businesses Rely on Multicloud Security to Protect Cloud Workloads


On Thursday, cloud networking company Aviatrix unveiled its new Distribution Cloud Firewall security platform, which integrates traffic inspection and policy enforcement across multicloud environment.

According to Rod Stuhlmuller, VP of solutions marketing at Aviatrix, the company utilizes native cloud platform features and its own technology to give businesses a centralized look into the security of their cloud workloads and the flexibility to send out the same guidelines to different clouds.

"The architecture is really what's new, not necessarily the capabilities of each of the features[…]It's very different than having to reroute traffic to some centralized inspection point for whatever security capabilities you're talking about — that just becomes very complex and expensive to do," he said.

According to a survey by Flexera, “Flexera 2023 State of the Cloud Report,” a vast majority of companies (87%) have switched to a multicloud architecture, with the majority (72%) adopting a hybrid strategy that integrates both private cloud infrastructure and public cloud services. According to Flexera, managing multicloud architectures and securing cloud infrastructure are among the top concerns for businesses, with 80% and 78% of them grappling, respectively.

Security may suffer if businesses distribute workloads among numerous cloud service providers (CSPs). According to Patrick Coughlin, vice president of technical go-to-market for Splunk, a data and insights cloud platform, companies may rapidly lose visibility into the security of their cloud infrastructure because CSPs handle security policies, traffic inspection, and workload deployment differently.

The Multicloud Security Mess

Initially, many providers built virtual versions of their firewall appliances and used them as entry points to cloud infrastructure, but John Grady, principal analyst for cybersecurity at Enterprise Strategy Group, says that managing those virtual firewalls has gotten harder, especially when using multiple cloud platforms.

"Virtual firewall instances have been around for a while, but there's been an acknowledgement over the last couple of years that these deployments can be complex and cumbersome and don't take advantage of the key benefits the cloud offers[…] we've seen a general shift toward more cloud-native network security solutions," says Stuhlmuller.

Finding a solution to the expanding complexity is essential as more enterprises use numerous infrastructure-as-a-service (IaaS) solutions from the leading cloud providers, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

By employing their native security groups, Aviatrix, for instance, enables businesses to develop an abstracted policy that can be applied across all cloud platforms without the administrator having to visit each one. The number of containers and virtual machines that need to be upgraded for businesses with expanding workloads, driven by microservice-based software architecture, can soar, according to Stuhlmuller.

"It's not that we're putting firewalls everywhere, but we're putting the inspection and enforcement capability into the network into the natural path of traffic, with a [single management console] that allows us to do central creation of policy but push that distributed inspection enforcement out everywhere in the network," he says.

Forrester Research lists Palo Alto Networks, Trellix, Trend Micro, Rapid7, and Check Point Software Technologies as additional significant vendors that concentrate on cloud workload security, but with various approaches to the technologies.  

Read more »
User Privacy
Data Breach Email Fraud IP Address Microsoft Azure Server TechCrunch Unauthorized access US Government User Privacy

 Crucial US military Emails was Publicly Available

A US Department of Defense exposed a server that was leaking private internal military emails online Security researcher Anurag Sen discovered the unprotected server, which was "hosted on Microsoft's Azure federal cloud for Department of Defense customers," according to a TechCrunch report.

The vulnerable server was housed on Microsoft's Azure federal cloud, which is available to Department of Defense clients. Azure uses servers that are physically isolated from other commercial customers so they can be utilized to share private but sensitive government information. The exposed server was a component of an internal mailbox system that included around three terabytes of internal military emails, a lot of them regarding the USSOCOM, the US military organization responsible for carrying out special military operations.

Nevertheless, due to a misconfiguration, the server was left without a password, making it possible for anyone with access to the internet to access the server's IP address and view the server's important mailbox data.

The server was filled with old internal military emails, a few of which contained private information about soldiers. A completed SF-86 questionnaire, which is filled out by government employees seeking a security clearance and contains extremely sensitive personal and health information for screening people prior to being cleared to handle classified information, was included in one of the disclosed files.

As classified networks are unreachable from the internet, TechCrunch's scant data did not appear to be any of it, which would be consistent with USSOCOM's civilian network. In addition to details regarding the applicant's employment history and prior living arrangements, the 136-page SF-86 form frequently includes details about family members, contacts abroad, and psychiatric data.

A government cloud email server which was accessible through the web without a password was made public and the US government was notified about it. Using just a web browser, anyone could access the private email data there.






Read more »
Zero Trust
API Keys Firewall IoT devices Microsoft Azure Privacy Threat actors VPN Zero Trust

A Zero-Trust Future Encourage Next-Generation Firewalls

The future of Zero Trust security relies greatly on next-generation firewalls (NGFWs). NGFWs are classified by Gartner Research as "deep packet inspection firewalls that incorporate software inspection, intrusion prevention, and the injection of intelligence from outside the firewall  in addition to protocol inspection and blocking."  As per Gartner, an NGFW should not be mistaken for a standalone network intrusion prevention system (IPS) that combines a regular firewall and an uncoordinated IPS in the same device.

Significance of Next-Generation Firewalls

1. Substantial expense in ML and AI

As part of zero-trust security management goals, NGFW providers are boosting their assets in ML and AI to distinguish themselves from competitors or provide higher value. Analytical tools, user and device behavior analysis, automated threat detection and response, and development are all focused on identifying possible security issues before they happen. NGFWs can continuously learn and react to the shifting threat landscape by utilizing AI and ML, resulting in a more effective Zero Trust approach to defending against cyberattacks.

2. Contribution of a Zero Trust 

By removing implicit trust and regularly confirming each level of a digital transaction, the zero trust approach to cybersecurity safeguards a business. Strong authentication techniques, network segmentation, limiting lateral movement, offering Layer 7 threat prevention, and easing granular, least access restrictions are all used to defend modern settings and facilitate digital transformation. 

Due to a lack of nuanced security measures, this implicit trust means that once on the network, users, including threat actors and malevolent insiders, are free to travel laterally and access or exfiltrate sensitive data. A Zero Trust strategy is now more important than ever as digitalization accelerates in the shape of a rising hybrid workforce, ongoing cloud migration, and the change of security operations. 

3. Threat monitoring to enforce least privilege access

Device software for NGFWs, such as Patch management tasks can be handled by IT teams less frequently because updates are distributed in milliseconds and are transparent to administrators.

NGFWs that interface with Zero Trust environments has automated firmware patch updates, IPS, application control, automated malware analysis, IPsec tunneling, TLS decryption, IoT security, and network traffic management (SD-WAN) patch updates.  

NGFWs used by Microsoft Azure supply Zero Trust

By enabling businesses to impose stringent access rules and segment their networks into distinct security zones, Microsoft Azure leverages next-generation firewalls (NGFWs) to deliver zero-trust security. This enhances the overall network security posture.

Azure Firewall can be set up to monitor traffic in addition to regulating it, looking for risks and anomalies, and taking appropriate action. In an effort for this, malicious communications can be blocked, infected devices can be quarantined, and security staff can be made aware of potential dangers.


NGFW firms are investing more in AI and ML to further distinguish their solutions. Companies must continue to enhance API connections, particularly with IPS, SIEM systems, and Data Loss Prevention (DLP) solutions. They must also concentrate on how software-defined networking (SDN) might increase adaptability while supplying finer-grained control over network traffic. A well-implemented Zero Trust architecture not only produces improved overall security levels but also lower security intricacy and operational overhead.
Read more »
User Priavcy
Cyber Security MFA Microsoft Azure Multi-factor authentication Outlook User Priavcy

Microsoft Now Permits IT Administrators to Evaluate and Deactivate Inactive Azure AD users

 

Azure Active Directory has received a handful of security updates from Microsoft. In preview, the business has unveiled a new access reviews tool that allows enterprises to delete inactive user accounts which may pose a security concern. Users who created the new Azure AD tenant after October 2019 received security defaults, however, customers who built Azure AD tenants before October 2019 did not receive security defaults. 

According to Microsoft, the Azure AD security defaults are utilized by around 30 million companies today, and the defaults will be rolled out to many more organizations, resulting in the settings protecting 60 million more accounts. IT admins could now terminate Azure AD accounts that haven't signed in for a certain number of days. 

The Azure Active Directory Identity Governance service now includes the new access review feature. It's useful for companies who don't want contractors or former employees to have access to sensitive data. Azure Active Directory (Azure AD) is a Microsoft cloud service that manages identification and authentication for on-premise and cloud applications. In Windows 2000, it was the advancement of Active Directory Domain Services. 

"The term "sign-in activity" refers to both interactive and non-interactive sign-in activities. Stale accounts may be automatically removed during the screening process. As a result, your company's security posture increases," Microsoft explained. 

According to Alex Weinert, Microsoft's director of identity security, the defaults were implemented for new tenants to ensure that they had "minimum security hygiene," including multi-factor authentication (MFA) and contemporary authentication, independent of the license. He points out that the 30 million firms which have security defaults in place are significantly less vulnerable to intrusions.

This month, Microsoft will send an email to all global admins of qualified Azure AD tenants informing them of security settings. These administrators will receive an Outlook notification from Microsoft in late June, instructing them to "activate security defaults" and warning of "security defaults will be enforced automatically for respective businesses in 14 days." All users in a tenant will be required to register for MFA using the Microsoft Authenticator app after it has been activated. A phone number is also required of global administrators.
Read more »
Yahoo
API GitHub malware Microsoft 365 Microsoft Azure TLS Certificates URL Yahoo

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.
Read more »
User Security
Data Breach Microsoft Azure Students Data User Privacy User Security

Over 100,000 Files with Student Records from the British Council were Discovered Online

 

More than 100,000 files including student records from the British Council were discovered online. A cybersecurity firm uncovered an unsecured Microsoft Azure blob on the internet, which revealed student names, IDs, usernames, email addresses, and other sensitive information. The British Council, founded in 1951 in London, is a British organization that promotes worldwide cultural and educational possibilities. It works in over 100 countries to promote cultural, scientific, technological, and educational interaction with the UK as well as a better understanding of the UK and the English language.

Clario, a cyber security firm, and security researcher Bob Diachenko discovered the breach on December 5th, 2021, and immediately contacted the British Council. According to the researchers, a public search engine identified an insecure Azure blob container containing hundreds of readable Excel spreadsheets and XML/JSON files. Personal information of hundreds of thousands of learners and students of British Council English courses from throughout the world was contained in these files. The researchers note that it is unclear how long this content was available to the public online without authentication. 

The British Council issued a statement about the incident on December 23rd, “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount. Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.”

 “We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required,” the council added. 

One of the key worries the researchers had at the time was the danger of phishing actors and identity thieves gaining access to this information. After not hearing back from the British Council for 48 hours, the researchers tried to contact again, this time via Twitter, which is where further communication between the two sides took place. 

According to the British Council, despite the fact that the researchers uncovered over 144,000 files, just roughly 10,000 student records were impacted. The discovery of this data leak comes in the wake of a report last month that stated the British Council had been the target of "two successful ransomware assaults over the past five years," in addition to six unsuccessful efforts by ransomware operatives. The British Council apparently faced 12 days of downtime as a result of these attacks—five days in the first case and seven days in the second. However, neither time did the organization pay a ransom.
Read more »
Threat actors
AWS Cloud Services Cyber Crime Microsoft Azure RATs Threat actors

Nanocore, Netwire, and AsyncRAT Distribution Campaigns Make Use of Public Cloud Infrastructure

 

Threat actors are actively leveraging Amazon and Microsoft public cloud services into their malicious campaigns in order to deliver commodity remote access trojans (RATs) such as Nanocore, Netwire, and AsyncRAT to drain sensitive information from compromised systems. The spear-phishing assaults, which began in October 2021, largely targeted companies in the United States, Canada, Italy, and Singapore, according to Cisco Talos researchers. 

These Remote Administration Tools (RATs) versions are loaded with features that allow them to take control of the victim's environment, execute arbitrary instructions remotely, and steal the victim's information. 

A phishing email with a malicious ZIP attachment serves as the initial infection vector. These ZIP archive files include an ISO image that contains a malicious loader in the form of JavaScript, a Windows batch file, or a Visual Basic script. When the initial script is run on the victim's machine, it connects to a download server to obtain the next step, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

Using existing legitimate infrastructure to assist intrusions is increasingly becoming part of an attacker's playbook since it eliminates the need for the attacker to host their own servers and may also be used as a cloaking strategy to avoid detection by security solutions. 

Collaboration and communication applications such as Discord, Slack, and Telegram have found a home in many infection chains in recent months to hijack and exfiltrate data from victim machines. Cloud platform abuse is a tactical extension that attackers may utilize as the first step into a large array of networks. 

"There are several interesting aspects to this particular campaign, and it points to some of the things we commonly see used and abused by malicious actors," said Nick Biasini, head of outreach at Cisco Talos. "From the use of cloud infrastructure to host malware to the abuse of dynamic DNS for command-and-control (C2) activities. Additionally, the layers of obfuscation point to the current state of criminal cyber activities, where it takes lots of analysis to get down to the final payload and intentions of the attack."

The use of DuckDNS, a free dynamic DNS service, to generate malicious subdomains to deliver malware is also noteworthy, with some of the actor-controlled malicious subdomains resolving to the download server on Azure Cloud while other servers function as C2 for the RAT payloads.

"Malicious actors are opportunistic and will always be looking for new and inventive ways to both host malware and infect victims. The abuse of platforms such as Slack and Discord as well as the related cloud abuse are part of this pattern," Biasini concluded.
Read more »
Vulnerability and Exploits
Microsoft Microsoft Azure Source Code Vulnerability and Exploits

Azure App Service Vulnerability Exposes Source Code Repositories

 

Microsoft has discreetly begun informing certain Azure users that a significant security flaw in the Azure App Service has exposed hundreds of source code repositories. 

Microsoft's disclosure follows more than two months after it had been disclosed by Israeli cloud security startup Wiz, and only weeks after Redmond secretly patched the weakness and notified "a limited subset of customers" who were thought to be in danger. 

The Microsoft Security Response Center highlighted the weakness in an alert as a problem wherein customers can accidentally set the.git folder to be generated in the content root, putting them at risk of unauthorized disclosure of information. 

“This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public. We have notified the limited subset of customers that we believe are at risk due to this and we will continue to work with our customers on securing their applications,” Microsoft said. 

App Service Linux users who launched applications utilizing Local Git after files were generated or updated in the content root directory may be affected, according to the business. 

The mix of the.git folder in the content folder and the application that delivers static content renders the program vulnerable to source code leakage, according to Redmond. 

The weakness is described in a different technical note by the Wiz research team as the unsafe default behavior in the Azure App Service that disclosed the source code of client applications built in PHP, Python, Ruby, or Node that have been published employing "Local Git." The vulnerability, called "NotLegit," has existed since September 2017 and has most likely been exploited in the wild, according to the business. 

The Wiz researchers highlighted exploitation as "extremely easy," adding that there are indications that unidentified malicious actors have already been launching exploits. 

“To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the company said.

 “As this exploitation method is extremely easy, common, and is actively being exploited, we encourage all affected users to overview their application’s source code and evaluate the potential risk,” Wiz added. 

Wiz researchers in Israel have already been proactively uncovering and publicizing huge security vulnerabilities in Microsoft's flagship Azure cloud computing platform, with ChaosDB and OMIGOD being two instances.
Read more »
Microsoft Azure
Cloud Computing Cyber Security Microsoft Microsoft Azure

Researchers Discovered a Vulnerability in Microsoft Azure's Cosmos DB

 

According to a copy of the email and a cyber security researcher, Microsoft warned thousands of its cloud computing customers, including some of the world's largest organizations, that intruders might read, update, or even delete their major databases. Researchers uncovered a "serious" vulnerability in Cosmos DB, a Microsoft Azure flagship database product, that allows an attacker to read, write, and remove data from Cosmos DB customers. 

Microsoft's proprietary database service Cosmos DB was launched in 2017 and is offered through the tech giant's cloud computing platform Azure. Coca-Cola, ExxonMobil, and Schneider Electric are just a few of the world's major organizations that utilize it to manage their data. Many of Microsoft's own programmes, such as Skype, Xbox, and Office, use Cosmos DB. 

Wiz's research team realized it was possible to gain access to keys that controlled access to databases owned by tens of thousands of companies. Ami Luttwak, Wiz's Chief Technology Officer, was previously the CTO of Microsoft's Cloud Security Group. Because Microsoft is unable to alter those keys on its own, consumers were emailed on Thursday and were told to create new ones. According to an email from Microsoft to Wiz, the company promised to pay them $40,000 for discovering and reporting the flaw. 

Wiz, which was founded by ex-Microsoft workers, identified the flaw on August 9, 2021. Three days later, the cybersecurity firm notified Microsoft about the problem. Microsoft's security teams disabled the vulnerable feature within 48 hours, according to Wiz. 

There was no evidence that the flaw had been exploited, according to Microsoft's notification to customers. The email stated, "We have no indication that external entities other than the researcher (Wiz) had access to the primary read-write key."

“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.” Even clients who have not been contacted by Microsoft may have had their keys swiped by attackers, giving them access until their keys are changed, according to Luttwak. 

The flaw was found in Jupyter Notebook, a visualization tool that has been available for years but was only enabled by default in Cosmos in February. 

Microsoft has been plagued by bad security news for months. The same alleged Russian government hackers who entered SolarWinds and stole Microsoft source code broke into the company. Then, while a patch was being created, a large number of hackers got into Exchange email servers.
Read more »
Mozi P2P Botnet
Huawei Network Gateway malware Microsoft Azure Mozi P2P Botnet

Mozi P2P Malware Targets Netgear, Huawei, and ZTE Network Gateways

 

Mozi, a peer-to-peer (P2P) malware known to target internet-of-things devices, has developed new capabilities to target network gateways manufactured by Netgear, Huawei, and ZTE, Microsoft researchers said on Thursday. 

"Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks. By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities,” researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT explained.

According to researchers at Netlab 360, who first spotted the Mozi botnet in December 2019, Mozi is known for exploiting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. The malware has evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper.

Mozi spreads through brute-forcing devices online or by abusing known unpatched vulnerabilities in the target devices, with the IoT malware communicating using a BitTorrent-like Distributed Hash Table (DHT) to record the contact information for other nodes in the botnet. This same technique is used by file-sharing P2P customers. The exploited device listens for commands from the controller node and also attempts to exploit other susceptible devices.

Back in September 2020, it was noted in one of IBM X-Force analysis, that Mozi accounted for about 90% of IoT network traffic tracked by security analysts from October 2019 through June 2020, suggesting that attackers are increasingly utilizing the expanding attack surface provided by IoT devices. In another survey released last month, Elastic Security Intelligence and Analytics Team discovered that attackers have targeted at least 24 countries to date, with Bulgaria and India at the forefront.

Microsoft's IoT security team has identified that the botnet "takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation.” This includes achieving persistence on targeted devices and blocking TCP ports (23, 2323, 7547, 35000, 50023, and 58000) that are used to secure remote access to the gateway. 

Security researchers have advised the enterprises and customers using Netgear, Huawei, and ZTE routers to secure the devices using strong passwords and update the devices to the latest firmware. "Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques," Microsoft said.
Read more »
Windows Hello
2FA. Cyber Security Microsoft Azure Plaintext Windows 10 Windows Hello

Microsoft Azure Credentials Exposed in Plaintext by Windows 365

 

Mimikatz has been used by a vulnerability researcher to dump a user's unencrypted plaintext Microsoft Azure credentials from Microsoft's new Windows 365 Cloud PC service. Benjamin Delpy designed Mimikatz, an open-source cybersecurity software that allows researchers to test various credential stealing and impersonation vulnerabilities.

Microsoft's Windows 365 cloud-based desktop service went live on August 2nd, allowing customers to rent Cloud PCs and access them via remote desktop clients or a browser. Microsoft offered free virtual PC trials, which rapidly sold out as consumers hurried to receive their two-month free Cloud PC. 

Microsoft announced their new Windows 365 cloud-based virtual desktop experience at the Inspire 2021 conference, which allows organizations to deploy Windows 10 Cloud PCs, as well as Windows 11 eventually, on the cloud. This service is built on top of Azure Virtual Desktop, but it has been modified to make managing and accessing a Cloud PC easier. 

Delpy told that he was one of the lucky few who was able to receive a free trial of the new service and began testing its security. He discovered that the brand-new service allows a malicious programme to dump logged-in customers' Microsoft Azure plaintext email addresses and passwords. The credential dumps are carried out using a vulnerability he identified in May 2021 that allows him to dump plaintext credentials for Terminal Server users. While a user's Terminal Server credentials are encrypted when kept in memory, Delpy claims he could decrypt them using the Terminal Service process. 

To test this technique, BleepingComputer used a free Cloud PC trial on Windows 365. They entered the "ts::logonpasswords" command after connecting through the web browser and started mimikatz with administrative privileges, and mimikatz promptly dumped their login credentials in plaintext. 

While mimikatz was designed for researchers, threat actors frequently use it to extract plaintext passwords from the LSASS process' memory or perform pass-the-hash attacks utilizing NTLM hashes due to the power of its different modules. Threat actors can use this technique to spread laterally across a network until they gain control of a Windows domain controller, allowing them to take control of the entire Windows domain.

To protect against this method, Delpy recommends 2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard. These security measures, however, are not yet accessible in Windows 365. Because Windows 365 is oriented toward enterprises, Microsoft is likely to include these security protections in the future, but for the time being, it's crucial to be aware of the technique.
Read more »
Raven Hengelsport
18GB Data Breach Microsoft Azure Raven Hengelsport

Raven Hengelsport Data Breach Exposes 18GB of Customer Data

 

The cybersecurity researchers from Safety Detectives uncovered an insecure Microsoft Azure Blob storage server linked to the Raven Hengelsport retail outlet (also called Raven Fishing B.V.), with PIIs presumably accessible for malicious hackers belonging to hundreds of thousands of consumers. 

Headquartered in Dronten, Netherlands is Raven Hengelsport, engaged in fishing gear and equipment. While online offering Raven.nl offers a wide choice of products, the corporation has many significant shops in the Netherlands and across Europe. 

In early March, the cybersecurity branch of antivirus screening site SafetyDetectives found the unsecured Azure Blob Storage Server with 18 GB of company data spanning at least 246,000 users in over 450,000 entries. Raven provides its clients across the Netherlands and Europe with a large variety of products in the retail industry. The website of Raven.nl works as a fishing supermarket to provide everything from conventional goods such as rods, rollers, and tackle boxes to more comprehensive merchandise such as tents, boats, and articles of clothing. 

"These files contained records that consisted of two different data sets, order details, and logs of PII, both of which expose the sensitive personal information of Raven's customers," the company's write-up this week explained. 

Raven.nl Order Details — include customer identifiers, delivery information, rebates, shipping charges, transactions, and tracking numbers of shipments. Customer PII [Personally Identified Information] - names, surnames, residence location, and phone numbers, e-mail, and even titles of a certain company's clients were also exposed. 

A great amount of the information leaked on the server is customer information with a total of 425,000 records of them being leaked. PII consumer data was leaked into several data rows, some even outlining the titles of key customer companies. 

Nevertheless, the situation was extremely hard for Raven, popularly known as Raven Fishing. 

"We immediately tried to get in touch with Raven once we discovered the open database, but did not receive a response from Raven regarding the breach," SafetyDetectives' researchers noted. "We later attempted to contact Raven through the live chat feature on their website.” 

The team sought to contact Raven as soon as the open database was detected, however they were not answered by Raven about the infringement. 

Afterward, they tried to get in touch with Raven via the live chat on their website. When the team first tried reaching Raven, the customer care officer concluded the live conversation without answering their statement. 

At the second attempt, the team was linked to the same employee who said they can not provide additional contact information. They were advised that their demand would be forwarded to the concerned parties and that if Raven found it appropriate, they would be approached. 

SecurityDetectives also notified Microsoft of this fault, however, MSRC refused to take any measures concerning the still-exposed server. The general customer care of Microsoft was also characterized as "not helpful," as it didn't help security researchers raising someone technical at Raven to see the data secured. 

An infringement of data of this kind has harmful effects for both Raven and its innocent clients, who have their personal information revealed. 

Raven is likely to be subject to EU data protection laws (GDPR), which could charge them up to €20 million in the company's territory or 4% of the yearly turnover of Raven (whichever is greater). However, it's the best way to deal with a data violation. If the GDPR decides to impose sanctions, small and medium-sized enterprises are more likely to obtain a mild punishment.
Read more »
Microsoft Azure
Crypto Currency Crypto-Mining Cyber Attacks Machine learning Microsoft Azure

Kubeflow: The Target of Cryptomining Attacks

 

Microsoft has discovered a new, widespread, ongoing threat that aims to infect Kubernetes clusters running Kubeflow instances with malicious TensorFlow pods that mine cryptocurrencies. Kubeflow is a popular open-source framework for conducting machine learning (ML) tasks in Kubernetes, while TensorFlow is an end-to-end, open-source ML platform. 

Microsoft security experts cautioned on Tuesday that they noticed a rise in TensorFlow pod deployments on Kubernetes clusters at the end of May — pods that were running legal TensorFlow images from the official Docker Hub account. However, a closer examination of the pods' entry point revealed that they are used to mine cryptocurrency. 

In a post on Tuesday, Yossi Weizman, a senior security research software engineer at Microsoft's Azure Security Center, said that the "burst" of malicious TensorFlow deployments was "simultaneous," implying that the attackers scanned the clusters first, kept a list of potential targets, and then fired on all of them at the same time. The attackers used two distinct images, according to Weizman. The first is the most recent version of TensorFlow (tensorflow/tensorflow:latest), and the second is the most recent version with GPU support (tensorflow/tensorflow:latest-gpu). 

According to Weizman, using TensorFlow images in the network "makes a lot of sense," because “if the images in the cluster are monitored, usage of a legitimate image can prevent attackers from being discovered.” Another rationale for the attackers' decision is that the TensorFlow image they chose is an easy way to conduct GPU activities using CUDA, which "allows the attacker to optimize the mining gains from the host," according to him. 

The newly found vulnerability is comparable to a cryptocurrency mining attack revealed by Microsoft in June. That previous campaign also targeted Kubeflow workloads, launching a broad XMRIG Monero-mining campaign by exploiting misconfigured dashboards. The most recent campaign includes the following changes: According to Weizman, the attackers abused their access to the Kubeflow centralized dashboard to establish a new pipeline this time.

Kubeflow Pipelines is a framework for creating machine learning pipelines based on Argo Workflow, an open-source, container-native workflow engine for coordinating parallel jobs. A pipeline is a collection of steps, each of which functions as its own container, that together creates an ML workflow. 

Users of Kubeflow should ensure that the centralized dashboard is not insecurely exposed to the internet, according to Microsoft.
Read more »
Vulnerabilities and Exploits
BadAlloc Microsoft Microsoft Azure Vulnerabilities and Exploits

Microsoft Discovered Several Security Flaws in IoT Operating Systems

 

Security researchers at Microsoft recently uncovered a series of critical memory allocation vulnerabilities in the Internet of Things (IoT). Microsoft researchers said that they have discovered about 25 undocumented critical memory-allocation vulnerabilities across a number of vendors’ IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash. 

‘BadAlloc,’ is the name assigned by the company's Section 52 —which is the Azure Defender for IoT security research group. BadAlloc has the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center (MSRC). 

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds," says the company. "To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible.”

“Our findings show that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device," Microsoft researchers stated.

Memory allocation is exactly what it sounds like–the basic set of instructions device makers give a device for how to allocate memory. The vulnerabilities stem from the usage of vulnerable memory functions across all the devices, such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to the report. 

From what researchers have discovered, the problem is systemic, so it can exist in various aspects of devices, including real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations, they said. And as IoT and OT devices are highly pervasive, “these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” researchers observed. 

In 2019, a security researcher discovered a similar flaw impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices. The vulnerability affected the Sirep/WPCon communications protocol included with Windows IoT operating system.
Read more »
Microsoft Azure
CityBee Cyber Crime Lithuania Microsoft Azure

Lithuanian Police Investigate Leak of 110,000 User Records of CityBee

 

Police in Lithuania is investigating after the personal information of 110,000 individuals was leaked to an online hacker site. The car-sharing service, CityBee, affirmed the records and data of thousands of its clients had been undermined in the incident. The first part of the database was posted on February 15 and incorporates 110,000 CityBee client IDs, usernames, hashed passwords, complete names, as well as personal codes (national identification numbers) that belong to mostly Lithuanian CityBee users. The subsequent part, posted on February 16 by the same threat actor, seems to contain more definite personal data, possibly including driver license numbers and CityBee credit limits, as well as a folder named “CreditCards.” 

While the proprietor of the post at first guaranteed that the information had been stolen from CityBee at some point in 2020, it was subsequently affirmed that the database was exfiltrated from an unsecured Microsoft Azure blob managed by CityBee at least from February 2018. Apparently, a Rapid7 Open Data Forward DNS tool was utilized to look through the reverse DNS lookup, which was how the threat actor found the unsecured CityBee blob. At that point, a directory brute-force attack was used to enumerate directories in the blob, after which the threat actor downloaded the files. 

“The data, which was uploaded to one of the cyber hackers favourite forums, is three years old,” CityBee said in a statement. A poster on the hacker forum said the rundown was extricated from data grabbed on February 2018 from an unsecured database backup and offered full hacked information for $1,000 paid in Bitcoin. Disclosure of stolen client information won't influence the security of CityBee client financial services, as the organization doesn't gather delicate data identified with client payment methods. 

“We are very sorry. I am one of the victims of the leak because I use the service, and I very well understand that feeling of insecurity,” CityBee CEO Kristijonas Kaikaris told journalists on Tuesday. He proposed the hacked clients “don’t panic” and change their passwords. The organization risks a fine of as much as 20 million euros ($24.21 million), or 4% of its turnover if found in breach of regulations.
Read more »
United States
Cyber Attacks Microsoft Azure Russia United States

SolarWinds Cyberattacks, Microsoft's Turn?

 

The United States is witnessing major cyberattacks, multiple government departments’ agencies are being targeted including treasury and commerce departments, homeland security and now Microsoft is the latest victim of a cyber attack. 

The ‘SolarWinds hack’ has emerged as one of the biggest cyberattacks against the US government, its agencies, and several other private companies, so much so that it has been said the world is under global cyber attack.  

According to Microsoft’s president, Brad Smith, more victims are expected to surface as investigations continue. 

Government departments and private organizations all across the globe are facing difficulties in disabling the compromised SolarWinds products from their systems. 

Intelligences investigating the matter, have named the hack ‘Sunburst’, saying that it will take years to fully decipher these cyber-attacks including the attack vectors and the origin. In this regard, Smith further stated, “We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations.” 

Furthermore, he said that Microsoft has already notified 40 of its security customers that its products are being found to be compromised. The malicious actors are seen to be targeting them “more precisely and breaching the security through additional and sophisticated measures". Experts have predicted the continuity of the attacks, saying more victims are likely to come up. 

As per the researchers, approximately 80 percent of these customers were located in the United States, while others were from Mexico and Canada in North America, Spain, Belgium, and the United Kingdom in Europe, and UAE and Israel in the Middle East. 

Attackers have targeted the government agencies, security and other technology firms, and private organizations of the abovementioned nations. 

However, above all, the campaign is “effectively an attack on the United States and its government and other critical institutions,” Smith warned. So far, six federal entities have been attacked: the Department of Energy, The Pentagon, the National Institute of Health, the Department of Homeland Security the Department of Treasury, and the Department of Commerce. 

The information about the attack has come from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as the agency warned government and non-government agencies that there could be additional initial-access vectors, beyond the SolarWinds Orion platform. 

Sources from Reuters told that the malicious actors used Microsoft’s Azure cloud as part of their attacks, however, a Microsoft spokesperson denied this by saying that “there are no indications that our systems were used to attack others’’
Read more »
Technology
Microsoft Microsoft 365 Microsoft Azure Outage Shutdown Servers. Technology

Microsoft 365 Services Restored After Hours Long Outage


Recently Microsoft was hit with a massive global outage that interrupted users’ access to multiple services including Outlook.com, Office 365, Teams, Exchange, Azure, OneDrive Dynamics 365, SharePoint, amid other cloud-based services.

As per the Azure status history page, the users who were trying to access any of Microsoft’s services encountered issues with logging in and server connection as the downtime started around 21:25 UTC on Monday.


The service interruptions had a rather short lifetime, lasting for several hours before Microsoft technicians fixed the issue and successfully rolled back their systems on Tuesday.

In current times of global pandemic wherein physical access for people is restricted all over the world, the outage of online services has proven to be even more disruptive as the number of people relying on it for work and studies has sprung up by a remarkable margin. As classrooms moved online, students and educational institutions are heavily dependent on services offered by Microsoft and Google, primarily.

Giving insights on the matter, Microsoft said “Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. The impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect.”

Acknowledging the issue, Microsoft 365 Status said in a tweet, “we’ve received reports of users experiencing issues accessing their Exchange Online accounts via Outlook on the Web. Our initial investigation indicates that India-based users are primarily impacted audience. Further details can be found in your admin center under EX223208.”

“We took corrective actions to mitigate the impact to Exchange ActiveSync and have confirmed that service has been restored after users force a sync on their impacted devices. More information can be found under EX223053 in the admin portal.” Microsoft 365 Status said in another tweet.

The issues affecting Microsoft’s online authentication systems have been resolved by the company and the services are restored. Most users reported their system being fully recovered and services functioning normally again.
Read more »
Server Compromise
Anonymous Hackers Command injection vulnerability malware Microsoft Azure Microsoft Hacks Server Compromise

Hackers abusing Microsoft Azure to deploy malware

Now Microsoft Azure becomes a sweet spot for hackers to host powerful malware and also as a command and control server for sending and receiving commands to compromised systems.

Microsoft Azure is a cloud computing platform created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Initially, this malicious operation was uncovered and reported by @JayTHL & @malwrhunterteam via Twitter in which they provide the evidence that there is a malicious software being hosted in Microsoft Azure.

Researcher’s already reported this malicious operation to Microsoft. however, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later, Appriver Reported.

This is an evidence of Azure that failed to detect the malware residing on the Microsoft server, but Windows defender is detecting the malicious files if users attempt to download from the malware-hosting server.

Windows defender detects this malware as Trojan:Win32/Occamy.C and the first new sample ( searchfile.exe ) was initially uploaded to VirusTotal on April 26, 2019, and another sample (printer/prenter.exe) was first submitted on April 30, but also remains undetected on Azure servers.

According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.

Based on the analysis report using the printer.exe file, attackers uncompiled this malware with the c# .net portable executable file.

Attackers cleverly using an uncompiled file as an attempt to evade the gateway and endpoint security detection by thoroughly examining the downloaded binaries.”

Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx”

This is not a first-time malware operator abusing Azure, but already we reported that attackers abuse Microsoft Azure Blog Hosting and it also attempted to steal the login credentials.
Read more »
Subscribe to: Comments (Atom)