Microsoft has experienced another security lapse after inadvertently exposing employee credentials via an unsecured Azure cloud server, which was accessible over the public Internet without a password for nearly a month after discovery.
SOCRadar security researchers Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı told TechCrunch the unsecured cloud stored information related to Microsoft’s Bing search engine and risked significant data leaks.
The researchers notified Microsoft, which took nearly a month to secure the cloud. The Redmond, Washington-based tech giant also downplayed the risk the exposed credentials posed.
Microsoft’s exposed employee credentials risked significant data leaks
The researchers warned that the public storage server hosted on Microsoft’s Azure cloud service exposed critical assets that could compromise the company’s internal services.
It stored codes, scripts, and configuration files containing passwords, keys, and credentials used by Microsoft employees to access internal databases and systems.
They told TechCrunch that the exposed data could enable hackers to determine the storage locations of internal company files, resulting in “more significant data leaks and possibly compromise the services in use.”
However, Microsoft downplayed the risk posed by the exposed employee credentials, claiming they were “accessible only from internal networks, and disabled after testing.”
“If they have been reused on any other systems, they are potentially vulnerable,” warned Darren James, a Senior Product Manager at Specops Software.
Valid accounts obtained via compromised employee credentials are among the top 10 initial access vectors hackers leverage to infiltrate organizations, maintain persistence, and pivot to other systems.
“We can only hope that the data that may have been leaked, including passwords and API keys, have already been changed and updated,” added James.
Microsoft fixes unsecured Azure cloud server
On February 6, the researchers notified Microsoft of the exposed employee credentials, and the tech giant fixed the unsecured Azure cloud server 28 days later, on March 5, 2024.
It remains unclear how long the Azure cloud server was left unsecured and if any threat actors accessed the exposed employee credentials.
Similarly, Microsoft was not forthcoming on why fixing the unsecured Azure cloud server took nearly a month, exposing employee credentials for extended periods.
“It’s particularly concerning that it has taken a month to shut down this vulnerability,” James said, adding that, although Microsoft fixed the unsecured Azure cloud server, “these passwords will already be circulating on the dark web.”
“Organizations should look to continuously scan for breached passwords on their network and have remediations in place to quickly change them if detected as breached,” advised James.
Microsoft’s culture of insecurity
The security faux pas follows a scathing report by the US Cyber Safety Review Board (CSRB) that found a “cascade of security failures at Microsoft.”
Some of the “preventable” breaches highlighted by the CSRB include the Exchange Online hack that allowed Chinese state-sponsored threat actors Storm-0558 to access senior government officials’ inboxes after obtaining an email signing key.
Apart from Microsoft’s “corporate culture that deprioritized enterprise security investments,” as stated by the CSRB, Redmond is no stranger to data breaches stemming from internal employees’ rookie mistakes.
In 2022, Microsoft employees also inadvertently uploaded Azure login credentials to the company’s GitHub repositories, exposing internal systems to potential cyber attacks.
In March 2022, an infamous hacking group, LAPSUS$, known for stealing source code, compromised Microsoft’s Azure DevOps account and leaked Bing and Cortana source code. That data breach was likely related to Microsoft’s credential dump on GitHub.
“This latest security incident involving Microsoft demonstrates once again that even the most trusted service providers on the planet still make the most basic human cyber security errors,” James concluded.