The modern world of IT is more complex than a few years ago. The cloud has become an integral part of the operations of most companies, bringing with it new challenges related to security. There is an ongoing battle between security experts and cybercriminals, who exploit the complexity, gaps, or neglect of administrators to gain information, money, or achieve other goals.
Recently, one of our clients became the target of an advanced attack. In their case, it was so-called Crypto Jacking. An attack involving the use of computational power to mine cryptocurrencies. This leads to financial losses for organizations, which bear the costs associated with the abuse of resources.
In our case, it was an amount of about 10,000 Euros in just a few hours. We also know cases where clients lost tens of thousands of Euros before they realized something was wrong.
How did we notice the incident?
Our support team noticed a sharp increase in costs, using Azure logs and analyzing system warnings. The cost limits had not yet been reached, but the increase was very dynamic. We identified administrative accounts and login attempts from various locations. After identifying the problem, we took immediate action: we blocked the account of the suspected admin and removed the Global Administrator rights. Despite the active MFA (multi-factor authentication) mechanism, the suspicious global admin account was not covered by it. We enforced re-registration of multi-factor authentication. Then our administrative team began logging into suspicious resources in Azure, removing all resources that had been created to stop generating additional costs. It was not easy because the script executed very quickly and operated in several Azure data centers. At one point, we had to remove the entire compromised machine to stop the attack.
User account – access block
After identifying the problem, we immediately blocked the ability to log into the account and reset all active sessions to cut off the attacker.
We noticed that the user logged into the Azure portal from Europe and the USA. These four attempts allowed the hacker to launch a deploying script that created resources in Azure. The attackers could have used phishing techniques or other social engineering methods to obtain credentials.
Login attempts – identification of addresses
We identified various login attempts, both successful and unsuccessful, to different services such as Azure Portal and Microsoft Azure CLI. In particular, we paid attention to login attempts from selected suspicious IP addresses. We did not find logins to other accounts than the administrator who was on leave at the time. Perhaps this administrator left his login data somewhere, including a disclosed password.
Despite the finding that the organization had implemented multi-factor authentication, the attackers managed to bypass this login and use the obtained credentials for proper login. Perhaps a script then operated, or the goal was only cryptojacking, as our team did not notice other logins or other activities.
Incident steps – what did the attacker’s script do?
The identified account had global administrator privileges. This posed a very high risk. We confirmed that the user-administrator, from whose account the activities were carried out, was on the last day of his vacation. At the time of the attack, he was traveling, it is worth emphasizing that the attack was thoughtful and probably the person attacking knew that the user would not be able to take action. He would have very limited access to information about his activities, including, for example, a login alert from another location, a request for authorization in the app, etc.
After successful login, the hacker used a script to create resources in all Azure data centers. The script was programmed to operate discreetly and avoid detection by standard monitoring mechanisms. It created four resources in each location: Application Insights, Key Vault, Storage Account, and Machine Learning workspace. These resources generated costs of around 20,000 Euros in 24 hours.
Changes introduced by ISCG
After consulting with the Group’s CIO, we removed all unnecessary accounts from the administrative group. We reconfigured the MFA service and conducted training for employees on safe use of the cloud and how to avoid potential threats.
Additional controls conducted by ISCG
We conducted a series of additional controls to ensure that the environment is safe. We also identified risky user accounts in the organization that require further analysis.
After detecting and ensuring that we have secured the evidence, we removed the created resources from the subscription. We enforced MFA on every global administrator and each privileged role.
Current administrator roles
We reviewed all administrator roles in the client’s environment to ensure that only trusted accounts have the appropriate permissions.
Actions taken by the client
The client took a series of actions, including reporting the attack to the local police, informing the CFO and the legal department.
Based on our analysis, we presented the client with a series of recommendations for improving the security of their cloud environment. In particular, we recommended implementing multi-factor authentication for all accounts with privileges and conducting a detailed security assessment. According to a 2022 report, attacks on cloud environments have increased by 300% over the past two years, underscoring the importance of regular security reviews and updates.
Although we did not find traces of operations on other accounts or operations in the local AD, scenarios of compromising multiple accounts and compromising the local AD are likely. As part of our cooperation with Microsoft, we applied for the cancellation of the generated bill. In this case, we managed to reverse 100% of the costs. Microsoft publishes an article here describing the path and conditions for canceling the described costs: Nonpayment, fraud, and misuse – Partner Center | Microsoft Learn
Help in improving the company’s security
If you feel you need additional support in terms of security, contact our team. We perform both periodic security reviews and cover our clients’ environments with full 24-hour support, both in terms of management and security. We have a dedicated service for this, which we often extend with Microsoft Sentinel, allowing us to generate responses faster if your infrastructure is attacked.