The silhouette of Lorraine Bardeen, studio manager of mixed reality at Microsoft Corp., is seen during a presentation at the Microsoft Developers Build Conference in Seattle, Washington, U.S., on Monday, May 7, 2018. The Build conference, marking its second consecutive year in Seattle, is expected to put emphasis on the company's cloud technologies and the artificial intelligence features within those services. Photographer: Grant Hindsley/Bloomberg via Getty Images
Photo: Grant Hindsley/Bloomberg via Getty Images

'Frightening' flaws cloud Microsoft Azure

Protocol Enterprise

Hello, and welcome to Protocol Enterprise! Today: an in-depth look at what security researchers believe is a “concerning” pattern of severe security flaws within Microsoft Azure, Capital One is now a SaaS company, and why sanctions won’t stop ransomware.

‘It’s concerning. And it is a pattern.’

One of the biggest hacks of all time happened last summer, and the world barely noticed.

In August 2021, hackers broke into a widely used database service on Microsoft’s Azure public cloud platform. They reported gaining access to databases in thousands of customer environments, or tenants, including those of numerous Fortune 500 companies. This was possible because the cloud runs on shared infrastructure — and as it turns out, that can uncover some shared risks that cloud providers thought were solved problems.

  • If you didn’t hear about this incident from last summer, that’s probably because the hackers who broke into Microsoft’s Cosmos DB service were not cybercriminals. They were researchers at Wiz, a cloud security startup.
  • The researchers gave the vulnerability a memorable name, “ChaosDB,” and reported it to Microsoft. The “cross-tenant” issue was fixed before any actual attackers could exploit it. Crisis averted.
  • But the stunning finding made researchers at Wiz and several other vendors curious to find out how prevalent this new class of cross-tenant vulnerability actually is.
  • That led to the discovery of another scary bug in an Azure service a month later. Then another. Then three more — for a total of six critical Azure vulnerabilities in as many months.

Including ChaosDB, five of the critical vulnerabilities demonstrated the possibility of breaching large numbers of different cloud environments, or tenants, in one fell swoop. A cross-tenant flaw like ChaosDB is “the most severe vulnerability that could be found in a cloud service provider,” said Shir Tamari, head of Research at Wiz.

  • “It’s concerning. And it is a pattern,” said Rich Mogull, CEO at independent security research firm Securosis and a longtime security industry analyst.
  • “And so the question is: Do we believe that that's because they're under greater scrutiny? Or is it that they have more problems? It might be a little bit of both.”
  • At cloud security firm Orca Security, whose researchers have found two of the cross-tenant vulnerabilities in Azure services, the issues strongly suggest that Azure is not withstanding the pressure applied by researchers to the same degree as AWS and Google Cloud, according to Orca CTO Yoav Alon.
  • “I think that in the cloud space right now, compared to other vendors, they might be a bit behind [on security],” Alon said.

First contacted over a week ago to discuss the reporting in this story, Microsoft declined to make a representative available to comment on the record.

  • "Security is foundational for Azure. Customers trust Microsoft’s multi-layered security provided across physical datacenters, infrastructure, and operations with cyber security experts actively monitoring to protect organizations’ data. We are continually engaged both internally and also externally through bug bounties with researchers to find and remediate security issues, and we are proactive in sharing updates and guidance," the company said in a statement.

Other researchers and analysts told Protocol they don’t think these findings point to any weakness in Microsoft’s approach to securing its Azure services as compared to AWS or Google Cloud.

  • “It’s not what we see,” said Ami Luttwak, co-founder and CTO at Wiz, which has discovered three of the six critical Azure vulnerabilities. “I don’t think it’s true."

Read the full report here.

— Kyle Alspach (email | twitter)

A MESSAGE FROM VERSAPAY

Accounts receivable is critical to positive customer experiences, yet many leaders overlook it. This limits the potential for success and gives competitors an opportunity to get ahead. Learn how collaborative AR not only optimizes your bottom line, but also gives you a unique edge in the market.

Learn more

Capital One is selling cloud software. Could ML tools be next?

You’ve probably noticed Capital One talking up its cloud expertise over the years and wondered: You’re a bank, right?

Now we know a little more about its plans. The credit card behemoth launched a business software division today called Capital One Software. Its first product? Cloud data management software designed to work with Snowflake.

It’s called Capital One Slingshot, and it’s designed to help customers manage current cloud costs, predict future costs and automate data governance. Of course, these are things Capital One has had to do internally for years since it loudly moved to AWS in 2015.

While creating a new business line selling software may be risky, it is a way for Capital One to create new revenue streams from what it’s already built, and taking advantage of existing sales connections through its enterprise customers and its Snowflake partnership.

Plus, it has hundreds of engineers building tech used internally already. When Protocol spoke earlier this year with Mike Eason, the company’s senior vice president of CIO Enterprise Data and Machine Learning, he said his team alone included 1,800 engineers and technology staff.

What could be next? Well, Capital One has made a point of talking up its machine-learning capabilities. And Eason’s team? It’s been developing a self-service data pipeline and platform with tools for in-house staff to access data to build and train machine-learning models.

That internal ML platform just might be ripe to package and sell, too.

— Kate Kaye (email| twitter)

The sanctions effect

In comments that've been much-discussed in the cybersecurity community, NSA official Rob Joyce has reportedly suggested severaltimes that western sanctions against Russia have constrained ransomware in 2022. But it'll take more than just sanctions to make a serious dent in ransomware attacks coming out of Russia, former CISA director Chris Krebs told me this week.

It's true that sanctions have likely made it more difficult for ransomware gangs to move the funds that they've extracted from victims, Krebs said. But at the same time, "there's no question that ransomware is still very, very active," he said, pointing to incidents such as Costa Rica's declaration of a state of emergency following an attack by the Russia-linked ransomware group Conti.

"There's plenty of evidence that cybercriminals have not felt the pain necessary" to halt their attacks, said Krebs, who served as the first director of the U.S. Cybersecurity and Infrastructure Security Agency and is now a founding partner at cybersecurity consulting firm Krebs Stamos Group. "Somehow, it's still profitable for them."

Beyond financial factors, the large number of vulnerable systems and the safe haven for the groups in Russia are other key enablers for ransomware to keep in mind, he said. To curtail ransomware attacks in a major way, Krebs told me, "I think it's going to require all three of those things to change in some fashion."


— Kyle Alspach (email | twitter)

Around the enterprise

Canadian icon Tim Hortons, the coffee and donut shop of the Great White North,collected data on its app’s users, even when the app wasn’t in use. Sounds bad, eh?

Oracle said it has received regulatory approval to acquire Cerner, but the deal won’t be official until Cerner shareholders sign off, which Oracle expects to happen next week.

Intel acquired Codeplay Software, a Scottish company working on open-source programming models, for an undisclosed amount.

Microsoft Active Directory users suffered through hours of login and notification delays after something went wrong just days after Microsoft rebranded the group as Entra.

A MESSAGE FROM VERSAPAY

It’s hard to find an executive who’d say customer experience isn’t a priority for them. Yet, only 44% of them see better communication with customers as a benefit of digitizing AR. This presents a massive opportunity, and collaborative AR is the key to seizing it.

Learn more

Thanks for reading — see you tomorrow!

Recent Issues