How to stop the theft of credentials
Microsoft recommends that you re-generate your Cosmos DB keys to reduce the risk of attackers stealing your Cosmos DB primary write keys before the vulnerability was disabled.
Microsoft has also provided the following recommendations as a best-practice to further secure Azure Cosmos Database account:
All Azure Cosmos DB customers use a combination firewall rules, vNet and/or Azure private link on their account. These network protection mechanisms block access from outside your network or unexpected locations.
Role Based Access Control is a method of controlling access to networks that goes beyond the implementation of security controls. Role Based Access Control permits per user and security principal access to Azure Cosmos DB – these identities can be audited using Azure Cosmos DB’s diagnostic logs.
We recommend that you implement regularly scheduled key rotations if Role Based Access Control is not possible.
Additional security best practices can be found in the Azure Cosmos DB security baseline document.
Microsoft added that it is adding additional safeguards to monitor future attempts to gain unauthorized access to Cosmos DB accounts of customers.
Customers should also turn on Azure Defender and Diagnostic Logging, if available, to help spot suspicious activity from unusual IP addresses.
The US Cybersecurity and Infrastructure Security Agency has also urged Azure Cosmos DB customers that they rotate their keys and review Microsoft’s guidance about how to Secure Access to Data in Azure Cosmos DB.
CISA stated that although the Azure cloud appears to have fixed the problem, it strongly encouraged Azure Cosmos DB customers who use Azure Cosmos DB to roll and renew their certificate keys.