Full Report
As part of building a market-leading CNAPP, Wiz Research is constantly looking for new attack surfaces in the cloud. Two weeks ago we discovered an unprecedented breach that affects Azure’s flagship database service, Cosmos DB.
Analysis Summary
# Incident Report: ChaosDB Vulnerability Exploiting Azure Cosmos DB
## Executive Summary
The Wiz security research team discovered **ChaosDB**, a critical, trivial-to-exploit vulnerability within Microsoft Azure Cosmos DB's Jupyter Notebook feature, allowing attackers to gain complete, unrestricted access to customer data and primary keys. The vulnerability was customer-non-fault and impacted thousands of Azure customers, including Fortune 500 companies, leading to the potential exfiltration of sensitive commercial data. Microsoft contained the immediate threat by disabling the feature within 48 hours of disclosure, but mitigation requires affected customers to manually rotate their highly sensitive primary access keys.
## Incident Details
- **Discovery Date:** Approximately two weeks prior to disclosure (details on exact date of discovery not provided, but research lasted about a week).
- **Incident Date:** The vulnerability was potentially exploitable for "at least several months, possibly years," with the specific feature causing the issue enabling by default in February 2021.
- **Affected Organization:** Microsoft Azure (Cosmos DB service).
- **Sector:** Cloud Services / Technology.
- **Geography:** Global (impacting Azure customers in over 30 regions).
## Timeline of Events
### Initial Access
- **Date/Time:** Starting February 2021 (when the vulnerable feature was enabled by default for new accounts) and continuing until discovery.
- **Vector:** Misconfiguration within the automatically enabled Jupyter Notebook feature in Cosmos DB.
- **Details:** A series of misconfigurations in the notebook container provided a path for privilege escalation into other customer notebooks.
### Lateral Movement
- **Details:** Attackers could leverage the initial privilege escalation to gain access to other customer notebooks, facilitating the harvesting of primary keys across multiple tenants.
### Data Exfiltration/Impact
- **Details:** Stolen primary keys provided full READ/WRITE/DELETE administrative access to customer Cosmos DB accounts. This allowed for exfiltration of massive collections of commercial databases.
### Detection & Response
- **How it was discovered:** Proactive security research conducted by the Wiz security team while building cloud-native application protection platform (CNAPP) capabilities.
- **Response actions taken:** Wiz reported the issue to Microsoft. Microsoft's Security Team disabled the vulnerable notebook feature within 48 hours of the report.
## Attack Methodology
- **Initial Access:** Direct exploitation of configuration flaws within the Cosmos DB Jupyter Notebook feature.
- **Persistence:** Not explicitly detailed, but the ultimate impact was obtaining long-lived Primary Keys, which grant ongoing access.
- **Privilege Escalation:** A core component—escalation within the notebook container to access other customer environments.
- **Defense Evasion:** Not applicable in the context of a zero-day vulnerability exploit; the access was achieved via a service design flaw.
- **Credential Access:** Harvesting of Cosmos DB Primary Keys (the "holy grail" secrets for database access).
- **Discovery:** Not explicitly detailed from the attacker's perspective, but the vulnerability allowed direct access to perform data discovery.
- **Lateral Movement:** Escalation between customer notebook instances.
- **Collection:** Direct administrative access allowed for bulk database collection.
- **Exfiltration:** Keys were exfiltrated to gain long-term control, allowing subsequent data exfiltration over the internet.
- **Impact:** Unauthorized modification (manipulation), deletion, and reading/exfiltration of massive amounts of commercial data.
## Impact Assessment
- **Financial:** Not explicitly stated, but impacting numerous Fortune 500 companies implies potentially significant costs related to breach investigation and remediation.
- **Data Breach:** Millions or billions of sensitive records from thousands of commercial databases across over 30 Azure regions were potentially accessible.
- **Operational:** Indirect operational risk due to the potential loss of integrity or availability of critical data managed by Cosmos DB.
- **Reputational:** High reputational risk for affected customers and Microsoft due to the scale and severity of the database exposure.
## Indicators of Compromise
- **Network indicators:** Not provided (defanged).
- **File indicators:** Not provided.
- **Behavioral indicators:** Unauthorized usage of the Jupyter Notebook feature by entities not belonging to the legitimate customer account.
## Response Actions
- **Containment measures:** Microsoft disabled the vulnerable Jupyter Notebook feature across all Cosmos DB instances pending redesign.
- **Eradication steps:** None provided for customers, as the vulnerability resides in the service layer controlled by Microsoft.
- **Recovery actions:** Microsoft notified over 30% of Cosmos DB customers to manually regenerate and rotate their Primary Access Keys.
## Lessons Learned
- **Key takeaways:** Automated feature enablement (like the default activation of the Notebook feature in February 2021) introduces significant, unexpected attack surfaces if security best practices are not rigorously applied during development.
- **What could have been done better:** Enhanced isolation and configuration management within cloud database services to prevent privilege escalation between tenant environments, even when features are active. Proper segregation of duties around system configuration.
## Recommendations
- **Prevention measures for similar incidents:** All Cosmos DB customers (especially those using or having used the notebook feature, or those created after January 2021) must immediately regenerate and rotate their Primary Access Keys. Enterprises must improve DevOps configuration management processes with built-in data protection capabilities to safeguard cloud assets.