Microsoft warns against sharing Azure keys with anyone in the organization. But only after Orca pointed out its own design flaw.

According to security firm Orca Security, Azure access tokens can easily be misused by malicious actors to gain free rein in an organization’s cloud environment. Orca therefore does not speak of a weakness in the Azure ecosystem, but of a blatant design error by Microsoft. Finally, Azure key sharing is a default for newly created storage accounts. Anyone who receives a key can access selected files.

Orca explains in detail how this can be abused using a fictitious example. Suppose an employee’s account is compromised by hackers. This gives the hacker with the key access to all files that employees can read and/or edit. It is now up to the intruder to expand his freedom of movement.

key on the door

By running a specific command, the attacker can request a list of all storage account keys and associated files. The attacker can now only filter out the keys that grant access to source code files. These keys allow the attacker to freely access sensitive files and move laterally through the organization’s cloud environment.

Microsoft acknowledges the issue and now recommends not sharing Azure keys and instead deploying Azure Active Directory authentication. However, this setting is the default for newly created accounts. This is set to change soon, but Microsoft isn’t yet sharing when that is planned. You can read a detailed guide on how to secure your Azure storage in this blog.

Leaky bucket

The design flaw in Microsoft Azure reminds Orca of AWS Simple Storage Service, or S3 for short. For years, remote access to data buckets was enabled by default with new files. While this was easy to disable, many organizations were unaware of it, so they unsuspectingly allowed outsiders access to sensitive data, with all the security breaches that entailed.

AWS only relented in December and switched off public access by default. Since January, newly created objects are also provided with encryption by default, another setting that has been available for years but has been enabled by few users. Sometimes companies need a little help to adequately secure their data in the cloud.