Cloud security vendor Wiz recently made a startling discovery – 38 TB of private Microsoft data had been accidentally exposed by AI researchers employed by the tech giant. This revelation, shared in a blog post by Wiz’s security researchers Hillai Ben-Sasson and Ronny Greenberg, highlighted a significant security breach within Microsoft’s AI research team.

According to the researchers, the data was inadvertently exposed while the team was publishing a bucket of open-source training data on GitHub. The exposed data included a disk backup of two employee workstations, along with passwords, private keys, secrets, and over 30,000 internal Microsoft Teams messages. This sensitive information was made accessible because the AI researchers shared files using shared access signature (SAS) tokens.

SAS tokens are signed URLs in Azure Storage that are used to share data and manage share permissions. However, in this case, the tokens were misconfigured. While the share permissions can usually be limited strictly and on a by-file basis, the link was mistakenly configured to share the entire storage account, including an additional 38TB of private files. Furthermore, the token was set to allow “full control” permissions instead of read-only access, meaning that an attacker could not only view the files but also delete and overwrite them.

This incident highlights the security risks associated with SAS tokens when they are not carefully managed. Inappropriate permissions can provide unauthorized access to sensitive data and create vulnerabilities for organizations. In fact, as security vendor Orca Security previously noted, threat actors can discover exposed cloud assets within minutes, making it crucial for organizations to prioritize the security of their cloud storage.

Wiz uncovered the link to the exposed data during its regular internet scans, finding it as a repository in Microsoft-owned GitHub. The security risks associated with the “overly permissive token” had been publicly accessible on GitHub for the past three years, making it easily discoverable by anyone. This means that an attacker with even minimal technical expertise would have been able to gain access to the exposed data.

In response to the incident, the Microsoft Security Response Center published a blog post dedicated to addressing the exposure. Microsoft stated that it had identified and mitigated the issue, emphasizing that no customer data was exposed, and no other internal services were put at risk. The company confirmed that they had worked with the relevant research and engineering teams to revoke the SAS token and prevent all external access to the storage account.

However, concerns were raised about whether any data had been exfiltrated beyond what was discovered by Wiz. In response to these concerns, a Microsoft spokesperson stated that their investigation did not identify any other unintended access. It appears that the breach was contained and did not extend beyond the exposed data found by Wiz.

This incident adds to a series of recent security issues faced by Microsoft, including the Storm-0558 attacks. In July, Microsoft revealed that a China-based threat actor known as Storm-0558 had compromised the email systems of approximately 25 customers, including federal government agencies. The attackers had exploited a token validation issue and used a stolen Microsoft account (MSA) sign-in key.

Microsoft disclosed that they had made errors that allowed the threat actors to steal the MSA key from their corporate network and compromise customer email accounts. In response, Microsoft took steps to correct these errors and prevent similar incidents from occurring in the future.

This incident serves as a reminder of the importance of properly configuring and managing access controls for cloud storage and other sensitive data. Organizations must ensure that they regularly review their security configurations and access permissions to prevent accidental exposures and potential breaches. Additionally, timely and coordinated disclosure, as demonstrated by Wiz and Microsoft in this case, is crucial in addressing and resolving security incidents effectively.

As the digital landscape continues to evolve, it is essential for organizations to prioritize robust security measures and ongoing vulnerability assessments to protect their data and maintain the trust of their customers.

Source link