32.Lock Code Circular

Multiple misconfigurations in a service that underpins many Azure features could have allowed an attacker to remotely compromise a cloud user's system.

An attack chain exploiting misconfigurations and weak security controls in a common Azure service is highlighting how lack of visibility impacts the security of cloud platforms. 

The "EmojiDeploy" attack chain could allow a threat actor to run arbitrary code with the permission of the Web server, steal or delete sensitive data, and compromise a targeted application, Ermetic stated in its Jan. 19 advisory. An attacker could use a trio of security issues affecting the common Source Code Management (SCM) service — a cloud service used by many Azure applications without an explicit indication to the user, according to Ermetic.

The issues demonstrate that the security of cloud platforms are undermined by the lack of visibility into what those platforms do under the hood, says Igal Gofman, head of research for Ermetic.