Microsoft BlueBleed | Security Research Resources
Last Updated: October 27, 2022 - 12:15pm EST
On October 19, 2022, Security researchers at SOCRadar announced they had identified sensitive data associated with 65,000 entities that was publically exposed because of a misconfigured Microsoft server. This data leak reportedly includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property. SOCRadar has published additional information about their findings here.
The misconfiguration was reported to Microsoft and resolved on September, 24th 2022. However, according to researchers at SOCRadar, the data is suspected to have been public facing for multiple years. The general consensus thus far has been that you will know if you are impacted by BlueBleed. Microsoft has reportedly sent a notification to all impacted entities via the Microsoft Admin portal.
Microsoft’s announcement of this event can be found here. This post has also been archived here.
Due to the limited information available from Microsoft, CCI wanted to consolidate some resources we have identified that may aid in your investigation into this event. We will update this article as more information becomes available.
Please Note: We can not provide any specific data associated with this event. We do not have access to any data related to this event. The information referenced within this article is derrived from Open Sources.
Resources:
BlueBleed Search Engine: Organizations may check to see if they may have been impacted by the BlueBleed leak using SOCRadar’s “BlueBleed Search Engine.” The BlueBleed search will only show if a domain name was detected in the data leak or not. The search engine does not provide any other details about the searched domain names. Further, SOCRadar does not have access to the data identified within the BlueBleed data leak and encourages any suspected impacted users or organizations to reach out directly to Microsoft for more information regarding the scope of potential impact.
Grayhatwarfare Bucket Discovery: Security Practioner, Kevin Beaumont, identified at least one bucket named “olyympusv2.blob.core.windows.net” that has been publically indexed on Grayhatwarfare. To access this link, you may require a Premium or Enterprise-level subscription to Grayhatwarefare.
BlueBleed Metadata - This file contains information identified and made public by Kevin Beaumont. This file contains the list of filenames across the Azure Storage blobs that are identified as being included in the BlueBleed event. This is not an exhaustive list of information exposed. Within this file, you will note several types of file extensions such as .msg (email threads), .pdf, .doc, etc. There are also .bak files (MS SQL server backups) - these files contain database tables that may include additional sensitive information. Columns in the file provided by Kevin are:
filenamefullPath
url
size (bytes)
lastModified
You can search this file for information related to your organization. However, as the buckets/blobs are now closed to the public, the links to any files will almost certainly not work. We suggest approaching Microsoft with the names of the files identified as being associated with your organization to aid in your efforts to persuade Microsoft to provide further details about the potential impact caused to your organization.
I have downloaded a copy of this file - if the link above no longer works, please reach out to me at chris.cooley@centerforcyberintelligence.org and I will provide a copy of the information to you.
Recommended Actions:
The Center for Cyber Intelligence recommends any organizations suspected of being impacted check the Microsoft Admin Portal for a message containing the references MC442408 or MC442057 and the subject “Investigation Regarding Misconfigured Microsoft Storage Location.”
Some reporting indicates the message ID will imply whether Microsoft is providing you with detailed information regarding your potential exposure:
MC442057: Microsoft indicates that they are unable to provide you with detailed information.
MC442048: Microsoft has potentially provided you with a copy of your data
If you received a notification, CCI recommends:
Request the affected data from Microsoft via your admin portal if you have not already received it. Feel free to use filenames you may have identified from the resources here as leverage.
If possible, identify impacted persons and warn and educate users about the threat of spear phishing. We believe that the disclosed information could be leveraged by a malicious actor to craft very targeted and realistic spear phishing attacks.