Microsoft this week confirmed that it inadvertently exposed
information related to thousands of customers following a security
lapse that left an endpoint publicly accessible over the internet
sans any authentication.
“This misconfiguration resulted in the potential for
unauthenticated access to some business transaction data
corresponding to interactions between Microsoft and prospective
customers, such as the planning or potential implementation and
provisioning of Microsoft services,” Microsoft said[1]
in an alert.
The misconfiguration of the Azure Blob Storage was spotted on
September 24, 2022, by cybersecurity company SOCRadar, which termed
the leak BlueBleed. Microsoft said it’s in the
process of directly notifying impacted customers.
The Windows makers did not disclose the scale of the data leak,
but according to SOCRadar, it affects more than 65,000 entities in
111 countries. The exposure amounts to 2.4 terabytes of data that
consists of invoices, product orders, signed customer documents,
partner ecosystem details, among others.
“The exposed data include files dated from 2017 to August 2022,”
SOCRadar said[2].
Microsoft, however, has disputed the extent of the issue,
stating the data included names, email addresses, email content,
company name, and phone numbers, and attached files relating to
business “between a customer and Microsoft or an authorized
Microsoft partner.”
It also claimed in its disclosure that the threat intel company
“greatly exaggerated” the scope of the problem as the data set
contains “duplicate information, with multiple references to the
same emails, projects, and users.”
On top of that, Redmond expressed its disappointment over
SOCRadar’s decision to release a public search
tool[3] that it said exposes
customers to unnecessary security risks.
SOCRadar, in a follow-up post[4]
on Thursday, likened the BlueBleed search engine to data breach
notification service “Have I Been Pwned,” enabling organizations to
search if their data was exposed in a cloud data leak.
The cybersecurity vendor also said it has temporarily suspended
any BlueBleed queries as of October 19, 2022, following Microsoft’s
request.
“Microsoft being unable (read: refusing) to tell customers what
data was taken and apparently not notifying regulators – a legal
requirement – has the hallmarks of a major botched response,”
security researcher Kevin Beaumont tweeted[5]. “I hope it isn’t.”
Beaumont further said the Microsoft bucket “has been publicly
indexed for months” by services like Grayhat
Warfare[6] and that “it’s even in
search engines.”
There is no evidence that the information was improperly
accessed by threat actors prior to the disclosure, but such leaks
could be exploited for malicious purposes such as extortion, social
engineering attacks, or a quick profit.
“While some of the data that may have been accessed seems
trivial, if SOCRadar is correct in what was exposed, it could
include some sensitive information about the infrastructure and
network configuration of potential customers,” Erich Kron, security
awareness advocate at KnowBe4, told The Hacker News in an
email.
“This information could be valuable to potential attackers who
may be looking for vulnerabilities within one of these
organizations’ networks.”
References
- ^
said
(msrc-blog.microsoft.com) - ^
said
(socradar.io) - ^
public
search tool (socradar.io) - ^
follow-up post
(socradar.io) - ^
tweeted
(twitter.com) - ^
Grayhat
Warfare (buckets.grayhatwarfare.com)
Read more https://thehackernews.com/2022/10/microsoft-confirms-server.html