Executive Summary

• • • • CloudSEK’s Threat Intelligence Research team discovered a post on a cybercrime forum, advertising 21 million user records of Microsoft.
      • Our researchers suspect that Microsoft’s latest advisory is possibly related to this incident, which warns its users about a newly discovered vulnerability present on their Cosmos DB.
      • CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.
    [caption id="attachment_17846" align="aligncenter" width="549"] Threat actor’s post on the cybercrime forum[/caption]  

    Analysis and Attribution

    On 20 August 2021, a threat actor published a post on a cybercrime forum claiming to have cracked 21 million Microsoft user accounts. Although the actor has not shared samples to substantiate their claim, they have described the process by which the data was obtained.   

    The Process

    • • The actor mentions that during a system upgrade Microsoft saved their data in a temporary cloud storage.
      • Further, the actor claims to have gained access to this ‘temporary’ cloud database, through which they received the Hexadecimal form of a cookie, and cracked it using a public legal service.
      • After completing these two steps, the actor gained access to the machine’s information as well as to the files and documents in it.
      • Besides this, the actor also claims to have access to the browsing database along with the following data fields:
    • • • Website
        • Username
        • Password

    Information from Comments

    In the comments posted on this thread, another threat actor shared a sample of the above-mentioned database, which they received from the original actor from their Telegram chat. Based on the samples, the data provided is as follows:
    • • • Host name
        • Creation date, last access date, and expiry date.
        • Path
     

    Possible Connections

    This post was published subsequent to an advisory from Microsoft that requested customers to patch their computers due to a vulnerability discovered in their cloud services. However, since the actor has not provided samples or mentioned the specific vulnerability or technology used, our researchers believe, with low confidence, that the two events can only be linked.  

    Impact & Mitigation

    Impact

    Mitigation

    The above post contains users’ PII information which can potentially be used by threat actors to conduct various attacks such as: Social engineering attacks Phishing attacks Identity theft Target Cosmos DB account information gathering. Retrieval of the credential key leads to account take over. Loss of data integrity by unauthorized modification and compromise of data confidentiality and exfiltration.

    Update the system and all the applications to the latest patches and versions. Use a regular password update policy, and avoid password reuse for multiple accounts. Use 2FA (Two Factor Authentication) across all logins. Patch all the vulnerable and exploitable endpoints. Microsoft has requested organizations to regenerate primary keys for respective Cosmos DB accounts. The link to the official guide is given below:https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

    References 

    https://mobile.reuters.com/article/amp/idUSL1N2PX2W7?__twitter_impression=true