The Azure Leak has left many wondering about the security of their Azure CLI. A vulnerability in the Azure CLI allowed attackers to obtain sensitive information, including compromised credentials. This is a serious issue, as compromised credentials can lead to unauthorized access to your Azure resources.
The vulnerability was discovered in the Azure CLI version 2.24.0 and earlier. It allowed attackers to obtain sensitive information, including API keys and access tokens. This information can be used to gain unauthorized access to your Azure resources.
To protect yourself from this vulnerability, it's essential to update your Azure CLI to the latest version. This will ensure that you have the latest security patches and fixes.
Microsoft Azure Security Issues
Microsoft Azure has been plagued by security issues, making it a concern for users. A major data breach compromised hundreds of executive accounts, including cloud account takeovers and phishing attempts.
Up to 97,000 Microsoft Exchange servers are susceptible to a critical privilege escalation vulnerability in the latest zero-day. This vulnerability, CVE-2024-21410, allows unauthorized attackers to remotely access and relay Windows NT Lan Manager (NTLM) hashes.
Microsoft has also disclosed two more zero-days, CVE-2024-21412 and CVE-2024-21351, a security feature bypass and SmartScreen bypass vulnerability, respectively. These vulnerabilities are associated with Exchange server versions before the update released on February 13th.
Hundreds of user accounts and environments in Microsoft's Azure Platform have been compromised in a data breach by hackers targeting corporate cloud accounts. The campaign included user impersonation, data extraction, financial fraud, and more.
The attack primarily targeted mid and senior-level company executives and was carried out by hacking groups located in Nigeria and Russia through proxy services using malicious links embedded in documents that led victims to phishing websites.
Microsoft suffered a similar breach in July 2023, when Chinese hackers could access sensitive data from Azure. This incident highlights the problems in Microsoft's security posture.
A significant data leak affecting Microsoft had been uncovered by cybersecurity researchers, exposing sensitive employee credentials and internal company files to the internet. The leak was identified through an open and public storage server hosted on Microsoft's Azure cloud service.
The data leak included a myriad of sensitive information such as code, scripts, and configuration files containing passwords, keys, and credentials utilized by Microsoft employees for accessing internal databases and systems.
The compromised internal Azure server seemed to be associated with the functioning of the Bing search engine and had been used to store scripts, configuration & code containing sensitive data.
A researcher indicated that the resulting data from the Microsoft leak could be used for further compromise by aiding attackers in identifying how Microsoft handles the storage of its internal resources as well as through the use of leaked credentials in attack campaigns.
Here are some key statistics related to Microsoft's security issues:
- Up to 97,000 Microsoft Exchange servers are susceptible to a critical privilege escalation vulnerability.
- Hundreds of user accounts and environments in Microsoft's Azure Platform have been compromised in a data breach.
- The attack primarily targeted mid and senior-level company executives.
Azure CLI Vulnerabilities
Developers' use of Azure CLI in GitHub actions can be unpredictable, and even when credentials are leaked, some developers take proactive measures to mitigate the problem.
Observations of Azure CLI usage patterns show that developers who know about the tool's tendency to emit sensitive data take steps to prevent full leaks.
In fact, some developers who use Azure CLI in GitHub actions don't even know about the potential for credential leaks, but those who do take precautions to minimize the risk.
CLI Bug or Feature?
The Azure CLI doesn't actually have a bug, but it does have a feature that can be problematic in certain situations. This feature is the echoing back of environment variables in the log.
This issue was observed in two GitHub issues: one related to the Azure login and another to the k8s-create-secret. Both showed environment variables echoing back to the log.
The Azure CLI is designed to echo back this information, so it's not a bug in the tool or its output. However, the combination of where this tool is running and who can access the run logs creates a problem.
Here are some examples of where this can go wrong:
- Public repositories and pipelines: Random internet users shouldn't be able to access your production database keys.
- Private repositories: You may think you have a false sense of security, but a compromised account or token with the lowest "READ" permissions can access raw production credentials.
To illustrate the problem, consider a pipeline with the echoed credentials stored in the log. Suddenly, we're faced with a "who should be able to read the logs" kind of problem.
Safely Using CLI in Pipelines
Don't rely on the privacy of your repositories and CIs, it's an incident waiting to happen. Relying on the privacy of your repositories and CIs is an incident waiting to happen, so don't do it.
To mitigate the issue, consider replacing static values in your applications with a more robust mechanism, such as Azure's Key Vault feature. Azure has a solution using its Key Vault feature, and by utilizing Bicep, for example, you could replace the static sensitive values in your applications settings with references to secrets stored in the vault.
If you need to use the output of the az command, you have a few options:
- Store the output in a variable so it doesn’t get echoed to the log and use it later in your workflow.
- Use JMESPath queries when fetching information with the tool using the built-in “--query” feature.
If you don’t need the output of the az command, you could:
- Redirect the output to /dev/null, piping both streams (stdout + stderr) to the location-of-no-return, as Azure CLI sometimes emits the credentials as a part of its error messages.
- Use the Azure CLI “output” option, setting the desired output format using the “--output/-o” option, which supports various values, including “--output none”.
Don't mask every returned value in your pipeline, it will generate a headache and require attention and maintenance.
Attack Path and Compromised Credentials
The attack path and compromised credentials in the Azure leak are quite concerning. Hundreds of user accounts and environments in Microsoft's Azure Platform have been compromised in a data breach by hackers targeting corporate cloud accounts.
The campaign included user impersonation, data extraction, financial fraud, and more. It's worth noting that the attacks were carried out by hacking groups located in Nigeria and Russia through proxy services using malicious links embedded in documents that led victims to phishing websites.
The compromised internal Azure server was associated with the functioning of the Bing search engine and had been used to store scripts, configuration & code containing sensitive data such as credentials, passwords and keys used by the company's employees to access enterprise databases and systems.
A total of 97,000 Microsoft Exchange servers have been found susceptible to a critical privilege escalation vulnerability in the latest zero-day, CVE-2024-21410. This vulnerability allows unauthorized attackers to remotely access and relay Windows NT Lan Manager (NTLM) hashes, which are further used to leak credentials and impersonate legitimate users.
Here's a list of the compromised data:
- Code
- Scripts
- Configuration files
- Passwords
- Keys
- Credentials
Microsoft Credentials Compromised
Microsoft's Azure platform has been subject to a major data breach, compromising hundreds of executive accounts, including cloud account takeovers and phishing attempts.
The breach exposed sensitive employee credentials and internal company files to the internet, raising serious concerns about data security protocols within the organization.
In addition to the Azure breach, a critical zero-day vulnerability in Microsoft Exchange servers has been disclosed, allowing unauthorized attackers to remotely access and relay Windows NT Lan Manager (NTLM) hashes.
Up to 97,000 Exchange servers may be susceptible to the flaw, which has a severity rating of 9.1.
The compromised credentials could be used for further compromise by aiding attackers in identifying how Microsoft handles the storage of its internal resources.
A researcher indicated that the resulting data from the Microsoft leak could be used for further compromise.
The data leak was identified through an open and public storage server hosted on Microsoft's Azure cloud service by researchers Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı.
The data accessible online included a myriad of sensitive information such as code, scripts, and configuration files containing passwords, keys, and credentials utilized by Microsoft employees for accessing internal databases and systems.
Here's a breakdown of the compromised credentials:
The data leak has highlighted problems in Microsoft's security posture, with cybersecurity experts and government officials criticizing the company for not taking accountability for security incidents and slow response times to reported flaws.
Identify Privileged Foreign Apps
Many foreign apps, such as TikTok and WeChat, have been found to have access to sensitive user data, including location, contact information, and browsing history.
This is particularly concerning for organizations that allow employees to use these apps on company devices.
Some foreign apps, like TikTok, have been linked to data breaches and cybersecurity threats.
These apps often use weak encryption methods, making it easier for hackers to access user data.
In 2020, it was reported that a data breach on TikTok exposed the data of over 200 million users.
Organizations should be cautious when allowing employees to use foreign apps on company devices.
This includes conducting thorough risk assessments and implementing strict security controls.
Frequently Asked Questions
What does a data leak do?
A data leak can cause sensitive information to be exposed, potentially leading to loss or malicious exploitation. This can result in serious consequences, making it essential to understand how to prevent and respond to data leaks.
Sources
- https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-leakage-user-error-azure-cli/
- https://www.spiceworks.com/it-security/vulnerability-management/news/azure-microsoft-exchange-servers-active-exploitation-hackers/
- https://www.darkreading.com/cloud-security/microsoft-azure-data-leak-exposes-dangers-of-file-sharing-links
- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
- https://thecyberexpress.com/microsoft-leak-internal-azure-server/
Featured Images: pexels.com