Media
Ransomware gangs are renowned for infighting. They squabble, they attack each other; they form alliances and desert them just as quickly. The results of this internecine conflict are often fruitful for cybersecurity researchers: take, for example, the leaking of malware code from Babuk, hacked in 2021 by cybercriminals disgruntled at being cheated by the notorious ransomware gang. The code was subsequently deployed by 10 additional ransomware gangs to garget VMware and ESXI servers, and spawned a string of variants that researchers have been busily patching ever since.
What was interesting about this particular family of malware, however, was that it targeted the Linux operating system – a fast favourite of developers involved in building virtual machines in cloud-based web systems, web hosting for live websites or IoT devices. Its use has spiked in recent years, with an estimated 14 million internet-facing devices running on Linux on any given day, in addition to 46.5% of the top million websites by traffic and a whopping 71.8% of IoT devices.
That’s great news for advocates of open-source software development, for which Linux has always been an example of what can be achieved when coding communities collaborate unencumbered by anything as vile as a corporate culture or a profit motive. It’s also thoroughly frightening for some cybersecurity experts. Not only is there a marked lack of ongoing research into the security of Linux-based systems as opposed to those based off more mainstream operating systems, but also no formal, overarching system for patching the vulnerabilities in this OS. Instead, as befits an open-source creation, ‘flavours’ of Linux are patched on an ad-hoc basis by developers with time and intellect to spare – a precious resource amid a veritable tsunami of cybercrime. Attackers are starting to notice. Last year, AtlasVPN found that over 1.9 million new malware threats had been detected – a year-on-year increase of 50%.
Linux security
It wasn’t always this way. Bharat Mistry remembers when hackers were more concerned with hacking open old Windows systems. “I think the reason why cybercriminals stayed away was because they thought the popularity wasn’t there,” says Trend Micro’s technical director for the UK and Ireland. Imbued with lower automatic access rights and other features intended to obstruct the easy movement of malware, Linux also had a reputation for being secure by design. “But over the last six years, certainly with cloud usage, it’s [usage has] exponentially grown,” says Mistry, thereby increasing its number of potential vulnerabilities. “It’s used for everything.”
That’s largely because it’s a cheap and cheerful alternative to the mainstream OS brands, explains Mistry, with many different flavours of unlicensed Linux available. “When you look at things like web servers that are hosted in the cloud, [why] should I pay for a Windows licence?” says Mistry, speaking from the vantage point of a wily, money-conscious startup. A Linux alternative is “cheap as chips and does what I want it to do. I can put Apache on there… and get the performance that I want without the additional cost that goes with it.”
Unfortunately, if an OS is built and maintained according to the principles of open source, that means that the hackers intent on suborning it for their own ends don’t have to guess where the vulnerabilities in the system are, but instead can simply source them on GitHub and similar software forums. For his part, Ensar Seker is worried about the implications this has for the use of virtual machines (VMs) in the cloud. Invariably housing valuable corporate secrets, “virtual machines often lack the same level of security monitoring as physical systems, making it easier for attackers to go undetected for a longer period of time,” explains the chief information security officer at digital risk protection platform SOCRadar.
VMs are especially common within the financial sector. “Consider personal banking apps,” says Mistry, most of which are connected to a cloud service. “Chances are that it’s going to be a Linux-based web server that’s taking the requests.”
The fact that an overwhelming majority of the software on IoT devices is based on Linux should also be a cause of concern, adds the analyst, especially given the level of growth predicted for the smart device market over the coming decade. More ominously, adds Mistry, “we’re seeing Linux being used more and more in critical systems,” given how easy it is to fork and tailor variants of the OS to suit niche tasks compared to its mainstream competitors.
A string of household names lately have been responsible for misconfigured cloud storage buckets overflowing with wide-open data — once again shining a light on a cybersecurity problem for which there seemingly is no plug.
Just last week, security researcher Anurag Sen revealed that an Amazon server had exposed data on the viewing habits of Amazon Prime members. During the same period, news and media conglomerate Thomson Reuters acknowledged that three misconfigured servers had exposed 3TB of data through public-facing ElasticSearch databases, according to Cybernews, which revealed the issues.
And In mid-October, Microsoft acknowledged that it left a misconfigured cloud endpoint open that could expose customer data, such as names, email addresses, email content, and phone numbers.
"The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability," Microsoft said in its statement on the misconfigured server. "We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints."
And indeed, the leaks are caused by a variety of misconfigurations rather than any bugs — ranging from insecure read-and-write permissions to improper access lists and misconfigured policies — all of which could allow threat actors to access, copy, and possibly alter sensitive data from accessible data stores.
"The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets," says Ensar Şeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. "Once they discover [the accessible data], the bucket might ... contain huge amounts of sensitive data for one tenant [or] numerous tenants."
The security impact of misconfigured storage is not a new issue. The problem regularly ranks in the top 10 security issues included in the popular Open Web Applications Security Project (OWASP) Top 10 security list. In 2021, Security Misconfiguration took the No. 5 spot, up from No. 6 in 2017. The annual "Data Breach Investigations Report," published by Verizon Business, also notes the outsized impact of misconfigured cloud storage: Human errors accounted for 13% of all breaches in 2021, with report noting that misconfiguration "heavily influenced" the result
Rogue Servers: A Stealth Cloud Security Problem
Overall, 81% of organizations have experienced a security incident related to their cloud services over the past 12 months, with almost half (45%) suffering at least four incidents, according to Venafi. The increase in complexity of cloud-based and hybrid infrastructure, along with a lack of visibility into that infrastructure, has caused the increase in incidents, says Sitaram Iyer, senior director of cloud-native solutions at Venafi.
"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend," he says. "The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access."
Yet, often misconfiguration is not the original sin — instead, a worker or developer will deploy a "shadow" server, a container or storage bucket not known to the information-technology department and, thus, not managed by the company. "Shadow" data — stored in cloned databases test environments, unmanaged backups, and data analysis pipelines — is the main threat, says Amit Shaked, CEO and co-founder of Laminar, a cloud data security platform.
"Because it is unknown, it is at extra risk for exposure, which makes it a popular target for adversaries," he says
Better DevOps Automation Could Help
Companies should regularly monitor their cloud assets to detect when a datastore or storage bucket may have been exposed to the public internet. In addition, when deploying cloud storage, using infrastructure-as-code (IaC) configuration files not only automates deployments but helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.
Adopting IaC reduces cloud misconfigurations by 70%, according to the firm.
"When IaC isn’t being used, or when runtime misconfigurations can’t be tied back to the IaC templates that were used to create and manage an environment, it’s common for the same vulnerability to appear over and over again after remediation," Manoj Nair, chief product officer at Snyk, said in a statement sent to Dark Reading.
Part of the issue continues to be the division of responsibilities between cloud providers and the business customers. While the responsibility for configuring cloud assets belong to the customer, the cloud service should make properly configuring a cloud asset as easy as possible, Venafi's Iyer says.
"Principle of least privilege must be adopted for every aspect of the data," he says. "Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented."
In a statement sent to Dark Reading, an Amazon spokesperson said of the Prime Video case: "There was a deployment error with a Prime Video analytics server. This problem has been resolved and no account information (including login or payment details) were exposed."
Microsoft said today that some of its customers' sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet.
The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.
"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," the company revealed.
"Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers."
According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner.
Redmond added that the leak was caused by the "unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem" and not due to a security vulnerability.
Leaked data allegedly linked to 65,000 entities worldwide
While Microsoft refrained from providing any additional details regarding this data leak, SOCRadar revealed in a blog post published today that the data was stored on misconfigured Azure Blob Storage.
In total, SOCRadar claims it was able to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022.
"On September 24, 2022, SOCRadar's built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider," SOCRadar said.
The threat intel company added that, from its analysis, the leaked data "includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property."
Microsoft added today that it believes SOCRadar "greatly exaggerated the scope of this issue" and "the numbers."
Furthermore, Redmond said that SOCRadar's decision to collect the data and make it searchable using a dedicated search portal "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk."
According to a Microsoft 365 Admin Center alert regarding this data breach published on October 4, 2022, Microsoft is "unable to provide the specific affected data from this issue."
The company's support team also reportedly told customers who reached out that it would not notify data regulators because "no other notifications are required under GDPR" besides those sent to impacted customers.
The exposed data includes, for example, emails from US .gov, talking about O365 projects, money etc - I found this not via SOCRadar, it's cached.
A post in M365 Admin Center, ignoring regulators and telling acct managers to blow off customers ain't going to cut it.
— Kevin Beaumont (@GossiTheDog) October 20, 2022
Online tool to search the leaked data
SOCRadar's data leak search portal is named BlueBleed and it allows companies to find if their sensitive info was also exposed with the leaked data.
Besides what was found inside Microsoft's misconfigured server, BlueBleed also allows searching for data collected from five other public storage buckets.
In Microsoft's server alone, SOCRadar claims to have found 2.4 TB of data containing sensitive information, with more than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now.
Per SOCRadar's analysis, these files contain customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents.
"Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels," SOCRadar warned.
"No data was downloaded. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems," SOCRadar VP of Research and CISO Ensar Şeker told BleepingComputer.
"We redirect all our customers to MSRC if they want to see the original data. Search can be done via metadata (company name, domain name, and email). Due to persistent pressure from Microsoft, we even have to take down our query page today.
"On this query page, companies can see whether their data is published anonymously in any open buckets. You can think of it like a B2B version of haveIbeenpwned. The leaked data does not belong to us, so we keep no data at all.
"We are highly disappointed about MSRC’s comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster."
Update October 19, 14:44 EDT: Added more info on SOCRadar's BlueBleed portal.
Update October 20, 08:15 EDT: Added SOCRadar statement and info on a notification pushed by Microsoft through the M365 admin center on October 4th.
Threat intelligence company SOCRadar is claiming a misconfigured Microsoft server wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.
Meanwhile, Microsoft has acknowledged the error but accused the researchers of “exaggerating” the scope of the impact.
On Wednesday SOCRadar published a blog post stating that their cloud security monitoring platform identified an exposed Azure Blob server bucket that contained sensitive, non-public data for more than 65,000 Microsoft customers across 111 countries. The company said the leak, which they are calling BlueBleed, includes proofs of concept and statements of work, personally identifiable information, intellectual property, product orders, project details and other user information.
In an interview, SOCRadar Chief Information Security Officer Ensar Seker told SC Media that the server was found by their cloud monitoring engine, which crawls the public internet for misconfigured servers and assets. Upon discovering the exposed Azure server, he said they immediately stopped crawling, sent alerts out to their customers and notified Microsoft. They also created a search tool that would allow potentially affected customers to search for metadata that would confirm they were part of the breach.
“First we informed Microsoft about this, and they said ‘you need to delete all the data,’" Seker said. "That’s what we did, and we are not analyzing any data, we’re just keeping the metadata, which is the domain name, company name and email. If any of these things are mentioned in the exposed data, we just tell the customers you are involved in the incident, that’s all."
“We shared every single piece of information from the beginning with Microsoft, and we have kept them informed at all times,” Seker added.
How bad is it? Microsoft versus SOCRadar
In a blog posted the same day, Microsoft’s Security Response center confirmed the incident, saying a misconfigured endpoint resulted in the potential for unauthorized access to certain customer data.
“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner,” Microsoft said Wednesday.
The server was reconfigured to make it private after notification and the dual releases were done under a coordinated vulnerability disclosure process, but Microsoft criticized SOCRadar’s characterization of the incident, saying they “have greatly exaggerated the scope of this issue.”
“Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error,” the company said. “More importantly, we are disappointed that SOCRadar has chosen to release publicly a ‘search tool’ that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”
But Seker told SC Media that’s not accurate. Some of the files Microsoft is claiming are duplicates were actually exposed data for different branches of the same multinational business. In many cases, he said these organizations appear to have separate leadership, financial accounts and IT architectures.
“Those are different entities according to us, but Microsoft says no, those are not different entities, those are all one account," he said. "But when you take a look at the organizations in the hierarchy, their CEOs are different, their accounts department is different, so they can’t be one account."
Risk management for impacted customers
Meanwhile, Seker said the creation of the search tool was done to help SOCRadar customers and others identify if they were affected. Initially they began referring potentially affected parties to Microsoft for validation, but Microsoft was telling entities they were unaffected when there were clearly file names and metadata that corresponded to their business.
Seker said they deleted the exposed data at Microsoft’s request and the search tool could only access filenames, which often included the name of the affected company. After further pressure from Microsoft, they also deleted the filename metadata from the leak, and now simply offer a yes or no answer to those who provide their company domain names and ask if they are affected.
A follow up FAQ blog the company is planning to release this week compares the service to the popular “Have I been Pwned” site where users can input their email address to learn if it has been attached to a data breach.
“The Bluebleed search only shows if a domain name was detected on this leak or not and does not publicly provide any other details about the searched domain names,” reads a draft of the blog obtained by SC Media. “What we aim with the Bluebleed search engine is basically an enterprise version of Have I Been Pwned where organizations can search if their data was exposed in some of the cloud data leaks [our engine] has detected so far. As a cyber threat intelligence company, we owe this to the community.”
It’s not immediately clear how long the information was publicly exposed or how far back the data goes. Seker said it was possible the information was publicly available for years, and said that while they don’t have direct evidence the data was accessed by a malicious party, it is highly possible that someone else discovered the leaked data before SOCRadar did. Meanwhile, security researcher and former Microsoft employee Kevin Beaumont said the leak was publicly indexed on search engines for months and some of the data goes back to 2014.
Beaumont criticized Microsoft’s response to the exposure and their history of “blaming the finders” of security issues instead of being transparent and taking accountability for their mistakes.
“Microsoft being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators - a legal requirement - has the hallmarks of a major botched response,” Beaumont wrote on Twitter. “I hope it isn’t.”
The bucket was one of six servers SOCRadar found that were misconfigured in a similar way, affecting a total of 150,000 entities, but Seker told SC Media the other exposed buckets are not from Microsoft.
Microsoft recently confirmed that a “misconfigured endpoint” was responsible for the exposure and leak of Microsoft customer data. The security lapse left an endpoint publicly accessible over the internet without any authentication.
Well, the misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cybersecurity company SOCRadar. This entire leak has been termed as BlueBleed.
Even though Microsoft hasn’t revealed the exact number of impacted customers, SOCRadar suggests that the leak affected 65,000 entities in 111 countries.
A total of around 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, and partner ecosystem details, among others were leaked.
At the time of writing this article, Microsoft said that it’s in the process of directly notifying impacted customers.
In an alert, Microsoft stated that,
“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,”
Now SOCRadar has made its BlueBleed search portal available to Microsoft customers who might be concerned that they have been affected by the leak. That said, it seems Microsoft is not happy with the way SOCRadar handled this breach.
In an official statement, Microsoft stated that encouraging entities to use its search tool “is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”
In response, SOCRadar VP of Research and CISO Ensar Seker told BleepingComputer that,
“No data was downloaded. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems,”
“We redirect all our customers to MSRC (Microsoft 365 Admin Center Alert) if they want to see the original data. Search can be done via metadata (company name, domain name, and email). Due to persistent pressure from Microsoft, we even have to take down our query page today,” he added.
Microsoft servers have been subject to a breach that might have affected over 65,000 entities across 111 countries, according to the security research firm, SOCRadar.
SOCRadar claims that it shared with Microsoft its findings, which detailed that a misconfigured Azure Blob Storage was compromised and might have exposed approximately 2.4TB of privileged data, including names, phone numbers, email addresses, company names, and attached files containing proprietary company information, such as proof of concept documents, sales data, product orders, among other information.
Having been made aware of the breach on September 24, 2022, Microsoft released a statement saying it had secured the comprised endpoint, which is “now only accessible with required authentication,” and that an investigation “found no indication customer accounts or systems were compromised.”
The company also stated that it has directed contacted customers that were affected by the breach.
However, SOCRadar also responded by making its BlueBleed search portal available to Microsoft customers who might be concerned they have been affected by the leak. The security firm noted that while Microsoft might have taken swift action on fixing the misconfigured server, its research was able to connect the 65,000 entities uncovered to a file data composed between 2017 and 20222, according to Bleeping Computer.
Microsoft has not been pleased with SOCRadar’s handling of this breach, having stated that encouraging entities to use its search tool “is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”
The research firm insists that it has not overstepped any privacy protocols in its work and none of the information it uncovered was saved on its end.
“No data was downloaded. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems,” SOCRadar VP of Research and CISO Ensar Şeker told BleepingComputer.
“We redirect all our customers to MSRC (Microsoft 365 Admin Center Alert) if they want to see the original data. Search can be done via metadata (company name, domain name, and email). Due to persistent pressure from Microsoft, we even have to take down our query page today,” he added.
Microsoft itself has not publicly shared any detailed statistics about the data breach.
Microsoftのクラウド用オブジェクトストレージサービスであるAzure Blob Storageの構成に設定ミスが存在し、合計2.4TBに及ぶMicrosoftの顧客の機密データが公開状態となっていたことが判明しました。問題を発見したセキュリティ企業のSOCRadarによると、公開されていたデータにはユーザー情報や業務に関するファイルが含まれており、111カ国の6万5000もの企業が影響を受けたとのことです。
Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket
https://socradar.io/sensitive-data-of-65000-entities-in-111-countries-leaked-due-to-a-single-misconfigured-data-bucket/
Investigation Regarding Misconfigured Microsoft Storage Location - Microsoft Security Response Center
https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/
Microsoft data breach exposes customers’ contact info, emails
https://www.bleepingcomputer.com/news/security/microsoft-data-breach-exposes-customers-contact-info-emails/
Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica
https://arstechnica.com/information-technology/2022/10/microsoft-under-fire-for-response-to-leak-of-2-4tb-of-sensitive-customer-data/
ウェブ上のデータ漏えいを継続的に監視していたSOCRadarは、2022年9月24日にAzure Blob Storageの構成ミスを検出し、誤って公開されたバケットに機密データが含まれていることを発見しました。この問題は「BlueBleed」と名付けられており、公開バケットに含まれる機密データは2.4TBという膨大な量だったとのこと。
機密データはMicrosoftおよび111カ国の6万5000もの企業に関連しており、33万5000件以上の電子メール、13万3000件のプロジェクト、54万8000人のユーザー情報が公開されていたとSOCRadarは述べています。誤って公開された機密データには、他にも製品の注文書・請求書・プロジェクトの詳細・知的財産に関する文書・パートナーへの内部評価といったものが含まれていたそうです。
SOCRadarの発見について、Microsoft Security Response Center(MSRC)も声明を発表し、「2022年9月24日、SOCRadarはMicrosoftに対してエンドポイント構成が間違っていることを通知しました。この設定ミスにより、Microsoftと潜在顧客の間でやりとりされたMicrosoftサービスの計画や実装など、一部のビジネストランザクションデータへの認証されていないアクセスが発生する可能性がありました。構成ミスが通知されるとエンドポイントはすぐに保護され、必要な認証でのみアクセスできるようになりました。私たちの調査では、顧客のアカウントやシステムが侵害された兆候は見つかりませんでした」と報告しました。SOCRadarも、Microsoftは通知から数時間以内にバケットを非公開にするよう再構成し、データ流出のリスクを軽減することに成功したと述べています。
Microsoftによると、今回の問題は意図しない構成ミスによるものであり、システムに脆弱(ぜいじゃく)性が存在するというわけではないとのこと。Microsoftはこの種の構成ミスを防止するプロセスの改善に取り組んでおり、Microsoftの全エンドポイントのセキュリティを調査・保証するために追加のデューディリジェンスを実行しているとのことです。
構成ミスがあったことを認める一方で、公開バケットの電子メールやプロジェクト、ユーザーデータには重複が存在しており、「SOCRadarは問題の範囲を大幅に誇張していました」とMicrosoftは反論しました。また、SOCRadarが今回の構成ミスに関するデータ漏えいをチェックできる「BlueBleed」というツールを公開したことについても、「顧客のプライバシーやセキュリティ確保に最善とは言えず、顧客を不必要なリスクにさらす可能性がある『検索ツール』を公開したことに失望しています」と非難しています。
これに対しSOCRadarは、BlueBleedでは一部データを検索エンジンがクロールしたものの、データはすべてシステムから削除されていると主張。SOCRadarのリサーチ担当ヴァイスプレジデントであるEnsar Şeker氏は、「このクエリページでは、企業は公開バケットでデータが公開されているかどうかを匿名で確認できます」「私たちは漏えいしたデータをまったく保持していません。世界的なサイバー災害を防ごうと協力および支援をしてきたにもかかわらず、MSRCがこのようなコメントおよび非難をしてきたことにとても失望しています」とテクノロジー系メディアのBleepeng Conputerに述べました。
また、Microsoftが影響を受けた顧客に対する通知をMicrosoft365メッセージセンター経由で行ったことや、影響を受けた顧客からの問い合わせに「この問題から影響を受ける特定のデータを提供できません」と回答したことについても、セキュリティ研究者から非難の声が上がっています。
It turned out that there was a misconfiguration in the configuration of
Azure Blob Storage , Microsoft's cloud object storage service, and a total of 2.4 TB of confidential data of Microsoft customers was exposed. According to SOCRadar, a security company that discovered the problem, the published data included user information and business files, and 65,000 companies in 111 countries were affected.
Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket
Investigation Regarding Misconfigured Microsoft Storage Location – Microsoft Security Response Center
Microsoft data breach exposes customers' contact info, emails
Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica
SOCRadar, which has been continuously monitoring data breaches on the web, detected an Azure Blob Storage misconfiguration on September 24, 2022, and discovered that an accidentally exposed bucket contained sensitive data. Did. This problem was named 'BlueBleed' and said that the confidential data contained in the public bucket was a huge amount of 2.4 TB.
SOCRadar said the sensitive data was related to Microsoft and 65,000 companies in 111 countries, exposing more than 335,000 emails, 133,000 projects, and 548,000 user information. I'm here. Other confidential data that was accidentally disclosed included product purchase orders, invoices, project details, intellectual property documents, and internal evaluations of partners.
The Microsoft Security Response Center (MSRC) also issued a statement regarding the discovery of SOCRadar, stating, ``On September 24, 2022, SOCRadar notified Microsoft of an incorrect endpoint configuration. This could result in unauthenticated access to some business transaction data, such as the planning and implementation of Microsoft services exchanged between Microsoft and potential customers.When notified of a misconfiguration, endpoints It was immediately protected and accessible only with the required authentication, and our investigation found no indication that customer accounts or systems had been compromised.' SOCRadar also said that within hours of the notification, Microsoft reconfigured the bucket to be private, reducing the risk of data exfiltration.
According to Microsoft, this problem is due to an unintended misconfiguration, and there is no vulnerability in the system. Microsoft is working to improve processes to prevent this type of misconfiguration and is performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.
While acknowledging that there was a misconfiguration, Microsoft countered that there was duplication of email, project and user data in the public bucket, and that 'SOCRadar greatly exaggerated the scope of the problem.' did. In addition, regarding SOCRadar's release of a tool called ' BlueBleed ' that can check for data leaks related to this misconfiguration, he said, 'It is not the best way to ensure customer privacy and security, and may expose customers to unnecessary risks. I am disappointed that I have released a certain 'search tool'.'
In response, SOCRadar claims that BlueBleed has had some data crawled by search engines, but that all data has been removed from the system. “On this query page, companies can anonymously see if their data has been exposed in public buckets,” said Ensar Şeker, vice president of research at SOCRadar. No. It is very disappointing that the MSRC has made such comments and denunciations after working together and helping to prevent a global cyber disaster,' said technology media Bleepeng Computer. said.
Microsoftのクラウド用オブジェクトストレージサービスであるAzure Blob Storageの構成に設定ミスが存在し、合計2.4TBに及ぶMicrosoftの顧客の機密データが公開状態となっていたことが判明しました。問題を発見したセキュリティ企業のSOCRadarによると、公開されていたデータにはユーザー情報や業務に関するファイルが含まれており、111カ国の6万5000もの企業が影響を受けたとのことです。
ウェブ上のデータ漏えいを継続的に監視していたSOCRadarは、2022年9月24日にAzure Blob Storageの構成ミスを検出し、誤って公開されたバケットに機密データが含まれていることを発見しました。この問題は「BlueBleed」と名付けられており、公開バケットに含まれる機密データは2.4TBという膨大な量だったとのこと。
機密データはMicrosoftおよび111カ国の6万5000もの企業に関連しており、33万5000件以上の電子メール、13万3000件のプロジェクト、54万8000人のユーザー情報が公開されていたとSOCRadarは述べています。誤って公開された機密データには、他にも製品の注文書・請求書・プロジェクトの詳細・知的財産に関する文書・パートナーへの内部評価といったものが含まれていたそうです。
SOCRadarの発見について、Microsoft Security Response Center(MSRC)も声明を発表し、「2022年9月24日、SOCRadarはMicrosoftに対してエンドポイント構成が間違っていることを通知しました。この設定ミスにより、Microsoftと潜在顧客の間でやりとりされたMicrosoftサービスの計画や実装など、一部のビジネストランザクションデータへの認証されていないアクセスが発生する可能性がありました。構成ミスが通知されるとエンドポイントはすぐに保護され、必要な認証でのみアクセスできるようになりました。私たちの調査では、顧客のアカウントやシステムが侵害された兆候は見つかりませんでした」と報告しました。SOCRadarも、Microsoftは通知から数時間以内にバケットを非公開にするよう再構成し、データ流出のリスクを軽減することに成功したと述べています。
Microsoftによると、今回の問題は意図しない構成ミスによるものであり、システムに脆弱(ぜいじゃく)性が存在するというわけではないとのこと。Microsoftはこの種の構成ミスを防止するプロセスの改善に取り組んでおり、Microsoftの全エンドポイントのセキュリティを調査・保証するために追加のデューディリジェンスを実行しているとのことです。
構成ミスがあったことを認める一方で、公開バケットの電子メールやプロジェクト、ユーザーデータには重複が存在しており、「SOCRadarは問題の範囲を大幅に誇張していました」とMicrosoftは反論しました。また、SOCRadarが今回の構成ミスに関するデータ漏えいをチェックできる「BlueBleed」というツールを公開したことについても、「顧客のプライバシーやセキュリティ確保に最善とは言えず、顧客を不必要なリスクにさらす可能性がある『検索ツール』を公開したことに失望しています」と非難しています。
これに対しSOCRadarは、BlueBleedでは一部データを検索エンジンがクロールしたものの、データはすべてシステムから削除されていると主張。SOCRadarのリサーチ担当ヴァイスプレジデントであるEnsar Şeker氏は、「このクエリページでは、企業は公開バケットでデータが公開されているかどうかを匿名で確認できます」「私たちは漏えいしたデータをまったく保持していません。世界的なサイバー災害を防ごうと協力および支援をしてきたにもかかわらず、MSRCがこのようなコメントおよび非難をしてきたことにとても失望しています」とテクノロジー系メディアのBleepeng Conputerに述べました。
また、Microsoftが影響を受けた顧客に対する通知をMicrosoft365メッセージセンター経由で行ったことや、影響を受けた顧客からの問い合わせに「この問題から影響を受ける特定のデータを提供できません」と回答したことについても、セキュリティ研究者から非難の声が上がっています。