As most businesses are moving their operations to the Cloud, misconfigurations are common today, leading to data exfiltration. In this article, we discuss the recent Microsoft data breach, which potentially led to the exfiltration of customers’ data.
Microsoft recently disclosed that it unknowingly leaked business transaction data between potential customers and the software giant. However, it tried to downplay the leak because cybersecurity firm, SOCRadar, claimed the exposure affected 65,000 entities worldwide, many of them reputed enterprises.
In a recent blog post, Microsoft said: “The misconfiguration gave potential unauthenticated access to business transaction data corresponding to interactions between prospective customers and Microsoft, like planning or potential provisioning and implementation of Microsoft services.”
The exposed information includes names, phone numbers, company names, email addresses, email content, and attached business documents. According to the post, Microsoft quickly responded and secured the storage system by enabling an authentication requirement. Microsoft further added in the blog that its investigation “found no indication that systems or customer accounts got compromised.”
While the blog post states that Microsoft is notifying affected customers, it also criticizes SOCRadar, the cybersecurity company that informed Microsoft about the leak, for “exaggerating” the scale of the leak.
Exaggerated Claims By SOCRadar?
In its blog post, SOCRadar researchers said misconfigured servers counted among the top data leak causes and, referring to the 2022 SANS Top New Attacks and Threat Report, commented that cloud data exposure is a common attack avenue. On September 24, SOCRadar notified Microsoft about the leak, which they said occurred through a misconfigured online storage system.
SOCRadar added that the misconfigured Microsoft storage had sensitive data belonging to 65,000 entities across 111 nations. Specifically, Microsoft stored the exposed data in the Azure Blob Storage, designed for holding and analyzing large unstructured data amounts.
Virginia-based SOCRadar claimed that the leak included Statement of Work (SoW) and Proof-of-Execution (PoE) documents, user information, PII (Personally Identifiable Information), product orders/offers, project details, and documents that can reveal intellectual property claims. Additionally, the cybersecurity firm found 335,000 emails in the leak.
SOCRadar discovered the exposed data through their product that scans the internet for misconfigured cloud servers that expose sensitive data. The blog further adds that it is unclear if any threat actors managed to access or copy data from the misconfigured Microsoft server. However, if they did, the hackers now have plenty of information on numerous organizations that they can exploit for further attacks.
After investigating the misconfigured server, SQLServer databases, and other files, the SOCRadar team discovered 2.4TB of publicly available data containing Microsoft accounts’ sensitive information. It included files from 2017 to August 2022.
Microsoft: SOCRadar Playing With Numbers
In its blog post, Microsoft accused SOCRadar of inflating the breach’s severity.
“Our in-depth data set analysis shows mimicked information containing multiple references to the same users, emails, and projects. We understand it is a serious issue but are disappointed that the SOCRadar team exaggerated the numbers involved in the breach.”
Microsoft is also disappointed because SOCRadar created a search tool enabling affected customers to see if their data got leaked. The issue is that anyone (including a journalist, business, or hacker) can type in an organization’s name into the search tool and see if they were affected by the leak. Users can get more details about the leak if they register for the free edition of the SOCRadar Cyber Threat Intelligence product.
Microsoft suggests that SOCRadar implement a reasonable verification system to ensure the search tool delivers the results to verified victims before forwarding them to the public.
The allegations did not gain much ground because it seems that the SOCRadar team reviews each free request for the Cyber Threat Intelligence product before it grants access. Also, users can only search results about one corporate domain in the free access option.
Microsoft declined to comment and did not confirm how many customers got affected.
What Steps did Microsoft Take?
After getting notified of the misconfiguration, Microsoft quickly secured the endpoint, and users can only access it now with the required authentication. However, Microsoft maintains that its investigation found no indication that systems or customer accounts got compromised. Microsoft directly notified the affected customers.
It said in its blog post, “We are working to improve the processes for further preventing a similar misconfiguration and performing due diligence to investigate and maintain the security of all Microsoft endpoints.”
How to Protect Against Data Exfiltration in the Cloud?
Since data exfiltration can happen in various ways, as seen above, organizations wanting to keep their data out of malicious hands must adopt a multi-pronged defense. They can implement the following measures to prevent another misconfiguration incident:
- Audit the established network security rules for internal resources.
- Audit host running services and ensure the principle of least privilege gets enforced for all domain accounts configured to run services.
- Expand the scope of the mechanisms detecting security rule misconfigurations.
- Add additional alerting to service teams if security rule misconfigurations get detected.
- Automate the data exfiltration prevention plan.
- Periodically review your configurations and ensure you take advantage of all the available protections.
- Many enterprises fall victim because their staff does not receive adequate training and do not have the required skills to securely configure and migrate to the Cloud.
Expert Comments
-
Ensar Şeker, VP of Research and CISO, SOCRadar
“We did not download any data. Our Engine crawled the data, but as promised to Microsoft, we did not share any data and deleted all the crawled data from our systems,”
“We redirect all the users to MSRC if they want to view the original data. They can search via metadata (domain name, company name, and email). Since Microsoft pressured us, we had to take down our query page.”
“We are highly disappointed by the MSRC’s accusations and comments after all the support and cooperation offered by us that prevented a global cyber disaster.”
-
Erich Kron, security awareness advocate, KnowBe4
Some of the exposed data may seem trivial, but if SOCRadar’s details are correct, “it can include some sensitive information regarding potential customers’ network and infrastructure configuration. The information is valuable for potential threat actors looking for vulnerabilities in one of the affected organizations’ networks.”
“It is something enterprises hosting data and applications in one of the various cloud platforms must understand,” he added. “Policies like double checking configuration changes, or another person confirming them, is not a bad idea when the result can lead to the sensitive data exposure.”
Final Words
The cloud misconfiguration at Microsoft’s cloud account is not an isolated case. As more enterprises move their digital business operations to the Cloud, misconfigurations are becoming common. Such misconfigurations can lead to data exposure, which puts organizations at risk because threat actors can abuse or misuse potentially sensitive information. However, it may seem complicated, but preventing damage from misconfigurations is possible with the right security strategies.