Security News > 2023 > April > Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers
A "By-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code," Orca said in a new report shared with The Hacker News.
According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account.
"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation.
The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.
As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "Plans to update how Functions client tools work with storage accounts."
News URL
https://thehackernews.com/2023/04/newly-discovered-by-design-flaw-in.html
Related news
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Microsoft warns Azure Virtual Desktop users of black screen issues (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- HubSpot phishing targets 20,000 Microsoft Azure accounts (source)