Microsoft has fixed a security breach that exposed internal company secrets to the public Internet, a month after researchers notified the company of the leak.
On February 6, 2024, researchers from threat intelligence company SOCRadar discovered a public storage server hosted on Microsoft's Azure cloud service that contained internal company information related to its Bing search product.
The Azure server stored a variety of scripts, source code, as well as configuration files containing passwords, keys, and other credentials used by Microsoft personnel to access internal databases and systems.
It is evident that, given the sensitivity of the information stored on the device, Microsoft somehow failed to adequately secure the server, or even add password protections to the asset.
As a result, anyone on the public Internet, if they knew where to look, could access the server and its contents.
Can Yoleri, one of the SOCRadar researchers who first discovered the server, said TechCrunch that information stored on the server could be used to orchestrate further attacks, helping attackers understand where Microsoft stores internal files.
McKenzie Jackson, developer advocate for code security platform GitGuardian, detailed how hackers could use information stored on the server to evade detection while browsing a target's network.
“The exploit uncovered plaintext secrets in internal systems and source code. Secrets such as certificates, passwords or API keys are the easiest way for an attacker to move from one system to another without being detected.”
Jackson offered his opinion on how companies should approach managing their information, noting that exposed secrets will inevitably fall into the wrong hands.
“Secrets must be kept airtight and stored in secrets management systems under strict access controls. If they are distributed in plain text in different places, it is only a matter of time before a bad actor finds them and abuses them,” he explained.
“Combating the spread of sensitive information and its associated risks requires reassessing the oversight and governance capabilities of security teams. It also requires the provision of appropriate tools to identify and counter emerging threat categories.”
One more mistake in the recent 'cascade' of Microsoft security flaws
This incident is the latest in a series of security lapses from the tech giant following a report from the US Cybersecurity Review Board investigating Microsoft's conduct during a security breach in the summer of 2023.
The 'Summer 2023 Exchange Intrusion', as it is known in the report, involved an alleged state-backed Chinese threat collective that gained access to the mailboxes of 22 organizations and more than 500 individuals.
A significant portion of those affected were senior US government officials who played key roles in the country's relationship with China.
The report criticized Microsoft's lax corporate culture that “deprioritized both enterprise security investments and rigorous risk management,” as well as its failure to provide details on how hackers were able to bypass its security measures.
Another recent security misstep from the company came in its recent Patch Tuesday release, which incorrectly labeled two CVEs as not under active exploitation, despite security researchers at the Zero Day Institute providing evidence from threat actors taking advantage of flaws in nature.
Regarding Microsoft's most recent security incident, the company said it had secured the breach on March 5, 2024, a month after it was notified by Yoleri and his colleagues at SOCRadar.
