Microsoft has fixed a security breach that exposed internal company secrets to the public internet, one month after the company was notified of the leak by researchers.
On 6 February 2024, researchers at threat intelligence firm SOCRadar discovered a public storage server hosted on Microsoft’s Azure cloud service holding internal company information relating to its Bing search product.
The Azure server was storing a range of scripts, source code, as well as configuration files containing passwords, keys, and other credentials used by Microsoft staff to access internal databases and systems.
Glaringly, given the sensitivity of the information stored on the device, Microsoft somehow had failed to adequately secure the server itself, neglecting to even add password protections on the asset.
As a result, anyone on the public internet, if they knew where to look, would be able to access the server and its contents.
Can Yoleri, one of the SOCRadar researchers who first uncovered the server, told TechCrunch that the information stored on the server could be used to orchestrate further attacks, helping attackers understand where Microsoft stores internal files.
McKenzie Jackson, developer advocate at code security platform GitGuardian, detailed how the information stored on the server could be used by hackers to evade detection whilst navigating a target’s network.
“The exploit discovered plain text secrets in internal systems and source code. Secrets like certificates, passwords or API keys are the easiest way for an attacker to move from one system to another undetected.”
Jackson offered his thoughts on how enterprises should approach managing their information, noting exposed secrets will inevitably fall into the wrong hands.
“Secrets should be tightly wrapped and stored in secret management systems under tight access controls. If they sprawl in plain text into different places - it is only a matter of time before a bad actor will find and abuse them”, he explained.
“Combating the spread of confidential information and its associated risks necessitates reevaluating security teams' oversight and governance capabilities. It also requires the provision of appropriate tools to identify and counteract emerging threat categories.”
One more blunder in recent ‘cascade’ of Microsoft security failings
This incident is the latest in a string of security slip ups for the tech giant following a report from the US Cyber Safety Review Board investigating Microsoft’s conduct during a security breach in the summer 2023.
The ‘Summer 2023 Exchange Intrusion’, as it is referred to in the report, involved a suspected state-backed Chinese threat collective gaining access to the mailboxes of 22 organizations and more than 500 individuals.
A significant portion of the affected individuals were senior US government officials who had key roles in the country’s relationship with China.
The report slammed Microsoft’s lax corporate culture that “deprioritized both enterprise security investments and rigorous risk management”, as well as its failure to provide details on how the hackers were able to bypass its security measures.
Another recent security misstep from the firm came in its recent Patch Tuesday release, which incorrectly labeled two CVEs as not under active exploitation, despite security researchers at the Zero Day Institute providing evidence of threat actors leveraging the flaws in the wild.
Concerning Microsoft’s most recent security incident, the company said it had secured the breach as of 5 March 2024, a full month after being notified by Yoleri and his colleagues at SOCRadar.
A Microsoft spokesperson gave ITPro the following statement:
"Though the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing. We thank our partners for responsibly reporting this issue.”
