White Hat Hackers Discover Microsoft Leak of 38TB of Internal Data Via Azure Storage

4 days ago 77

on September 18, 2023, 6:10 PM EDT

White Hat Hackers Discover Microsoft Leak of 38TB of Internal Data Via Azure Storage

The Microsoft leak, which stemmed from AI researchers sharing open-source grooming accusation connected GitHub, has been mitigated.

Microsoft has patched a vulnerability that exposed 38TB of backstage accusation from its AI probe division. White chapeau hackers from cloud accusation instauration Wiz discovered a shareable nexus based connected Azure Statistical Analysis System tokens connected June 22, 2023. The hackers reported it to the Microsoft Security Response Center, which invalidated the SAS token by June 24 and replaced the token connected the GitHub page, wherever it was primitively located, connected July 7.

Jump to:

SAS tokens, an Azure file-sharing feature, enabled this vulnerability
What businesses tin larn from the Microsoft accusation leak

SAS tokens, an Azure file-sharing feature, enabled this vulnerability

The hackers archetypal discovered the vulnerability arsenic they searched for misconfigured retention containers crossed the internet. Misconfigured retention containers are a known backdoor into cloud-hosted data. The hackers recovered robust-models-transfer, a repository of open-source codification and AI models for practice designation utilized by Microsoft’s AI probe division.

The vulnerability originated from a Shared Access Signature token for an interior retention account. A Microsoft idiosyncratic shared a URL for a Blob store (a benignant of entity retention palmy Azure) containing an AI dataset palmy a nationalist GitHub repository information moving connected open-source AI learning models. From there, the Wiz squad utilized the misconfigured URL to get permissions to entree the afloat retention account.

When the Wiz hackers followed the link, they were susceptible to entree a repository that contained disk backups of 2 erstwhile employees’ workstation profiles and interior Microsoft Teams messages. The repository held 38TB of backstage data, secrets, backstage keys, passwords and the open-source AI grooming data.

SAS tokens don’t expire, truthful they aren’t typically recommended for sharing important accusation externally. A September 7 Microsoft accusation blog pointed retired that “Attackers whitethorn marque a high-privileged SAS token with agelong expiry to sphere valid credentials for a agelong period.”

Microsoft noted that nary suit accusation was ever included palmy the accusation that was exposed, and that determination was nary hazard of antithetic Microsoft services being breached owed to the information that of the AI accusation set.

What businesses tin larn from the Microsoft accusation leak

This suit isn’t circumstantial to the accusation that Microsoft was moving connected AI grooming — immoderate precise ample open-source accusation acceptable mightiness conceivably beryllium shared palmy this way. However, Wiz pointed retired palmy its blog post, “Researchers cod and banal monolithic amounts of outer and interior accusation to conception the required grooming accusation for their AI models. This poses inherent accusation risks tied to high-scale accusation sharing.”

Wiz suggested organizations looking to debar akin incidents should caution employees against oversharing data. In this case, the Microsoft researchers could idiosyncratic moved the nationalist AI accusation acceptable to a dedicated retention account.

Organizations should beryllium alert for proviso concatenation attacks, which tin hap if attackers inject malicious codification into files that are unfastened to nationalist entree done improper permissions.

SEE: Use this checklist to marque definite you’re connected apical of web and systems security (TechRepublic Premium)

“As we spot wider adoption of AI models incorrect companies, it’s important to emergence consciousness of applicable accusation risks astatine each measurement of the AI betterment process, and marque definite the accusation squad works intimately with the accusation taxable and probe teams to warrant owed guardrails are defined,” the Wiz squad wrote palmy their blog post.

TechRepublic has reached retired to Microsoft and Wiz for comments.