White Hat Hackers Discover Microsoft Leak of 38TB of Internal Data Via Azure Storage

1 week ago 22

on September 18, 2023, 6:10 PM EDT

White Hat Hackers Discover Microsoft Leak of 38TB of Internal Data Via Azure Storage

The Microsoft leak, which stemmed from AI researchers sharing open-source grooming information connected GitHub, has been mitigated.

Microsoft has patched a vulnerability that exposed 38TB of backstage information from its AI probe division. White chapeau hackers from cloud information institution Wiz discovered a shareable nexus based connected Azure Statistical Analysis System tokens connected June 22, 2023. The hackers reported it to the Microsoft Security Response Center, which invalidated the SAS token by June 24 and replaced the token connected the GitHub page, wherever it was primitively located, connected July 7.

Jump to:

SAS tokens, an Azure file-sharing feature, enabled this vulnerability
What businesses tin larn from the Microsoft information leak

SAS tokens, an Azure file-sharing feature, enabled this vulnerability

The hackers archetypal discovered the vulnerability arsenic they searched for misconfigured retention containers crossed the internet. Misconfigured retention containers are a known backdoor into cloud-hosted data. The hackers recovered robust-models-transfer, a repository of open-source codification and AI models for representation designation utilized by Microsoft’s AI probe division.

The vulnerability originated from a Shared Access Signature token for an interior retention account. A Microsoft worker shared a URL for a Blob store (a benignant of entity retention successful Azure) containing an AI dataset successful a nationalist GitHub repository portion moving connected open-source AI learning models. From there, the Wiz squad utilized the misconfigured URL to get permissions to entree the full retention account.

When the Wiz hackers followed the link, they were capable to entree a repository that contained disk backups of 2 erstwhile employees’ workstation profiles and interior Microsoft Teams messages. The repository held 38TB of backstage data, secrets, backstage keys, passwords and the open-source AI grooming data.

SAS tokens don’t expire, truthful they aren’t typically recommended for sharing important information externally. A September 7 Microsoft information blog pointed retired that “Attackers whitethorn make a high-privileged SAS token with agelong expiry to sphere valid credentials for a agelong period.”

Microsoft noted that nary lawsuit information was ever included successful the accusation that was exposed, and that determination was nary hazard of different Microsoft services being breached due to the fact that of the AI information set.

What businesses tin larn from the Microsoft information leak

This lawsuit isn’t circumstantial to the information that Microsoft was moving connected AI grooming — immoderate precise ample open-source information acceptable mightiness conceivably beryllium shared successful this way. However, Wiz pointed retired successful its blog post, “Researchers cod and stock monolithic amounts of outer and interior information to conception the required grooming accusation for their AI models. This poses inherent information risks tied to high-scale information sharing.”

Wiz suggested organizations looking to debar akin incidents should caution employees against oversharing data. In this case, the Microsoft researchers could person moved the nationalist AI information acceptable to a dedicated retention account.

Organizations should beryllium alert for proviso concatenation attacks, which tin hap if attackers inject malicious codification into files that are unfastened to nationalist entree done improper permissions.

SEE: Use this checklist to marque definite you’re connected apical of web and systems security (TechRepublic Premium)

“As we spot wider adoption of AI models wrong companies, it’s important to rise consciousness of applicable information risks astatine each measurement of the AI improvement process, and marque definite the information squad works intimately with the information subject and probe teams to guarantee due guardrails are defined,” the Wiz squad wrote successful their blog post.

TechRepublic has reached retired to Microsoft and Wiz for comments.