Check Point Software Technologies disclosed today its investigators were able to abuse a fault to take over servers in the Microsoft Azure Cloud.
The fault in the Azure App Service used to install applications could have let cyberthieves to avoid the way Microsoft detaches virtual machines to take charge of a whole server.
The second fault in Azure Stack, the on-premises edition of Azure, revealed by Check Point permitted someone to take screenshots or see other delicate information by benefiting from a susceptibility in a DataService job without necessitating verification.
Head of cybersecurity research for Check Point Yaniv Balmas said the fault involved how Microsoft hired its .Net programming language to separate virtual machines on its cloud.
Check Point investigators were able to avoid the mechanism Microsoft uses to separate virtual machines on its cloud, he said.
Microsoft has since rectified the fault after being informed by Check Point of its presence. Nevertheless, Balmas said, because .Net is an example of a large platform based on managed code that performs at runtime, it’s nearly unavoidable there would be faults.
Like any platform caused by humans, there always will be some fault to be exposed. Check Point investigators tend to focus their efforts on large code bases that are built by hand, he remarked.
While public clouds are more protected than the average on-premises IT environment, Balmas said it’s significant for organizations to recall they are not flawless. Anything built by human developers is expected to have security faults that hackers are aggressively examining.
In fact, there’s no way to know whether cyberthieves already revealed the same fault that Check Point exposed on the Azure cloud, he said.
What is for sure is that given the number of application assignments being focused in public clouds, hackers are vigorously trying to breach these platforms. Regrettably, both hackers and nation-states have a lot more capitals at their disposal to conduct research.
Meanwhile, cybersecurity experts should remind developers there is no such thing as perfect security. Cloud service providers may like to call the security advantages of their platforms, but then, there is no silver bullet when it comes to safeguarding any platform that humans built.