Security News > 2023 > April > Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers
A "By-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code," Orca said in a new report shared with The Hacker News.
According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account.
"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation.
The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.
As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "Plans to update how Functions client tools work with storage accounts."
News URL
https://thehackernews.com/2023/04/newly-discovered-by-design-flaw-in.html
Related news
- Microsoft says Russian hackers breached its systems, accessed source code (source)
- Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets (source)
- Microsoft: Russian hackers accessed internal systems, code repositories (source)
- CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability (source)
- U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)