Microsoft Azure | Breaking Cybersecurity News | The Hacker News

A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization ( OAuth ) process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it  nOAuth . "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope,  said . The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account. To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website. "If the app merges u...

Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. XSS attacks  take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site. The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects. This meant that the shortcoming could be abused to embed endpoints within remote servers usin...

Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic. "By abusing the SSRF vulnerabilities, attackers could send requests from the service's CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service and bypass web application firewalls," security researcher Liv Matan said in a report shared with The Hacker News. "With the file upload path traversal, attackers could upload malicious files to Azure's hosted internal workload." Azure API Management is a  multicloud management platform  that allows organizations to securely expose their APIs to external and internal customers and enable a wide ...

A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. "It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new  report  shared with The Hacker News. The exploitation path that underpins this attack is a mechanism called  Shared Key authorization , which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. "Storage account access keys provide full access to the configuration of a storage accoun...

Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer ( SFX ) that could lead to unauthenticated remote code execution. Tracked as  CVE-2023-23383  (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the  FabriXss flaw  (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication," security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. XSS refers to a kind of  client-side code injection  attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences. While both FabriXss ...

A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application. "The vulnerability is achieved through  CSRF  (cross-site request forgery) on the ubiquitous SCM service Kudu," Ermetic researcher Liv Matan  said  in a report shared with The Hacker News. "By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application." The Israeli cloud infrastructure security firm, which dubbed the shortcoming  EmojiDeploy , said it could further enable the theft of sensitive data and lateral movement to other Azure services. Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000. The Windows maker  describes  Kudu as the "engine behind a number of...

Four different Microsoft Azure services have been found vulnerable to server-side request forgery ( SSRF ) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues, which were discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft. "The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files - providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target," Orca researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. Two of the vulnerabilities affecting Azure Functions and Azure Digital Twins could be abused without requiring any authentication, enabling a threat actor to seize control of a server without eve...

Cybersecurity researchers from Palo Alto Networks Unit 42  disclosed  details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster. The issue, which has been dubbed  FabricScape  ( CVE-2022-30137 ), could only be weaponized on containers that are configured to have  runtime access . It has been  remediated  as of June 14, 2022, in  Service Fabric 9.0 Cumulative Update 1.0 . Azure Service Fabric  is Microsoft's platform-as-a-service ( PaaS ) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines. "The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft  said  as part of the coordinated disclosure process. "Though the bug exi...

Microsoft has incorporated additional improvements to address the recently disclosed  SynLapse  security vulnerability in order to meet comprehensive  tenant isolation   requirements  in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information. "This means that if an attacker could execute code on the  integration runtime , it is never shared between two different tenants, so no sensitive data is in danger," Orca Security said in a technical report detailing the flaw. In a statement shared with The Hacker News regarding the protections deployed, Microsoft said it fully mitigated different attack paths to the vulnerability across all integration runtime types. The tech giant stated that it "contained and closely monitored the backend certificate...

Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as  Nanocore ,  Netwire , and  AsyncRAT  to siphon sensitive information from compromised systems. The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with The Hacker News. Using existing legitimate infrastructure to facilitate intrusions is increasingly becoming part of an attacker's playbook as it obviates the need to host their own servers, not to mention be used as a cloaking mechanism to evade detection by security solutions. In recent months, collaboration and communication tools like  Discord, Slack, and Telegram  have found a place in many an infection chain to  commandeer and exfiltrate data  from the victim machines....

Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks. "This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory ( Azure AD ) without generating sign-in events in the targeted organization's tenant," researchers from Secureworks Counter Threat Unit (CTU)  said  in a report published on Wednesday. Azure Active Directory is Microsoft's enterprise cloud-based identity and access management (IAM) solution designed for single sign-on (SSO) and multi-factor authentication. It's also a core component of Microsoft 365 (formerly Office 365), with capabilities to provide authentication to other applications via OAuth. The weakness resides in the  Seamless Single Sign-On  feature that allows employees to automatically sign in when using their corporate devices that...

Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization. The flaw, which grants read, write, and delete privileges, has been dubbed " ChaosDB ," with Wiz researchers noting that "the vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies." Cosmos DB is Microsoft's proprietary  NoSQL database  that's advertised as "a fully managed service" that "takes database administration off your hands with automatic management, updates and patching." The Wiz Research Team reported the issue to Microsoft on August 12, after which the Windows maker took steps to mitigate the issue within 48 hours of r...

Microsoft is urging Azure users to  update  the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core. The issue, tracked as  CVE-2021-26701  (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn't impacted by the flaw. Built on the .NET Common Language Runtime (CLR),  PowerShell  is a cross-platform task automation utility that consists of a command-line shell, a scripting language, and a configuration management framework. "A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed," the company  noted in an advisory  published earlier this April, adding that the problem resides in the " System.Text.Encodings.Web " package, which provides types for encoding and escaping strings for use in JavaScript, HTML, and URLs....

Cybersecurity researcher Paul Litvak today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. The findings come as part of Intezer Lab 's investigations into the Azure compute infrastructure. Following disclosure to Microsoft, the Windows maker is said to have "determined that the vulnerability has no security impact on Function users, since the host itself is still protected by another defense boundary against the elevated position we reached in the container host." Azure Functions , analogous to Amazon AWS Lambda, is a serverless solution that allows users to run event-triggered code without having to provision or manage infrastructure explicitly while simultaneously making it possible to scale and allocate compute and resources based on demand. By incorporating Docker into the mix, it makes it possible for developers to easily deploy and ...

New evidence amidst the ongoing probe into the  espionage campaign  targeting SolarWinds has uncovered an unsuccessful attempt to compromise cybersecurity firm Crowdstrike and access the company's email. The hacking endeavor was reported to the company by Microsoft's Threat Intelligence Center on December 15, which identified a third-party reseller's Microsoft Azure account to be making "abnormal calls" to Microsoft cloud APIs during a 17-hour period several months ago. The undisclosed affected reseller's Azure account handles Microsoft Office licensing for its Azure customers, including CrowdStrike. Although there was an attempt by unidentified threat actors to read the emails, it was ultimately foiled as the firm does not use Microsoft's Office 365 email service, CrowdStrike  said . The incident comes in the wake of the  supply chain attack  of SolarWinds revealed earlier this month, resulting in the deployment of a covert backdoor (aka "Sunbu...

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important. Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery ( SSRF ) attacks or execute arbitrary code and take over the administration server. "This enables an attacker to quietly take over the App Service's git server, or implant malicious phishing pages accessible through Azure Portal to target system administrators," cybersecurity firm Intezer said in a report published today and shared with The Hacker News. Discovered by  Paul Litvak of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them. Azure App Service is a cloud computing-based platform that's used as a hosting web service for building web apps and mobile backends. When an App Service is created via Azure, a new Docker env...

Cybersecurity researchers at Check Point today disclosed details of two recently patched potentially dangerous vulnerabilities in Microsoft Azure services that, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure. Azure App Service is a fully-managed integrated service that enables users to create web and mobile apps for any platform or device, and easily integrate them with SaaS solutions, on-premises apps to automate business processes. According to a report researchers shared with The Hacker News, the first security vulnerability ( CVE-2019-1234 ) is a request spoofing issue that affected Azure Stack, a hybrid cloud computing software solution by Microsoft. If exploited, the issue would have enabled a remote hacker to unauthorizedly access screenshots and sensitive information of any virtual machine running on Azure infrastructure—it doesn't matter if they're running on a shared, dedicated or isolated vir...

Microsoft today launched a new bug bounty program for bug hunters and researchers finding security vulnerabilities in its "identity services." Hacking into networks and stealing data have become common and easier than ever but not all data holds the same business value or carries the same risk. Since new security today depends on the collaborative communication of identities and identity data within, and across domains, digital identities of customers are usually the key to accessing services and interacting across the Internet. Microsoft said the company has heavily invested in the "creation, implementation, and improvement of identity-related specifications" that encourage "strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks." Therefore, to further bolster its customers' security, the tech giant has launched an all-new, and independent bug bounty program. Dubbed Microsoft Identity Bounty ...

Finally, it's happening. Microsoft has built its own custom Linux kernel to power " Azure Sphere ," a newly launched technology that aims to better secure billions of " Internet of things " devices by combining the custom Linux kernel with new chip design, and its cloud security service. Project Azure Sphere focuses on protecting microcontroller-based IoT devices, including smart appliances, connected toys, and other smart gadgets, Microsoft announced during the security-focused RSA Conference in San Francisco Monday. It is basically a security package consists of three main components: Azure Sphere-certified microcontrollers (MCUs) Azure Sphere OS Azure Sphere Security Service "Azure Sphere provides security that starts in the hardware and extends to the cloud, delivering holistic security that protects, detects, and responds to threats—so they're always prepared," Microsoft said. Internet of Things (IoT) devices are 'ridicu...