Orca, a cybersecurity company, has warned that a recently discovered vulnerability in Microsoft Azure can provide complete access to attackers, leading to remote code execution and the compromise of business data. The vulnerability comes from the authorization process of a common Microsoft Azure key, which is one of the methods of entry along with using ordinary accounting data. Microsoft itself advises against the use of general access keys, which it considers to be less safe.
Azure generates two 512-bit access keys for any newly created account. Because the keys are similar to root parallels, any user who owns the corresponding key can use it for authorization in someone else’s account. Orca states that “using this key obtained either as a result of a leak or upon receipt of the appropriate role of Azure Active Directory, an attacker can not only get full access to accounts and potentially important business actes, but also move around and even perform remote code.”
Orca also discovered that the authentication of the access key permits a much greater number of actions than determined by Azure accounts’ permits. An Active Directory account with permits for reading data can also change and delete data. The compromised account can also be used to extract the identifier with higher privileges and to move laterally within the compromised environment. The vulnerabilities highlight the need for organizations to disconnect the authorization with a common key to ensure proper security.
Microsoft has released a message detailing best practices to prevent such attacks, including reducing potential risks by applying the principle of the least privileges and disconnecting authorization with a common key in Azure. The message also covers the steps that the company is taking to refuse authorization with a common key. Orca emphasizes that the main problem is the levels of access that attackers can receive by compromising an Azure account or receiving the necessary access keys. Such access allows cybercriminals to access confidential data and perform harmful actions without being discovered.