Azure subscription hijacking and cryptomining

The attack

  • The Azure AD break-glass account was compromised (e.g. the password was obtained from the dark web; brute-force password attack or re-used password from past SaaS hack like LinkedIn in 2012) and was used to logon to the victim-tenant Azure portal (via a VPN or TOR browser to hide their source IP-address).
  • A guest account was created (requires elevated permissions in Azure AD: Global Administrator, Guest Inviter or User Administrator) in the victim-tenant with an account from the attacker-tenant (e.g. admin@attacker.onmicrosoft.com), this account needs a mailbox for to verify the invitation.
  • The newly created guest account got Owner permissions (requires elevated permissions in Azure: Owner or User Access Administrator) on the Azure subscription in the victim-tenant.
  • Logon from the attacker-tenant to the Azure portal (section subscriptions) and switch directory to the victim-subscription
  • Change directory to transfer the Azure subscription to the attacker-tenant (Azure AD).
  • Attacker deployed (10) Azure VMs (e.g. NVv4- (GPU) or Mv2-series) to mine cryptocurrency. See example for pricing (starting from …. )

Azure subscription

Protect (Prevention)

Multi Factor Authentication [MFA]

Block Access from untrusted locations

Detection

Final words

--

--

--

Chief Technology Officer @ Nedscaper

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

4 Different ways AI can assist us with entering another period of network protection

Security without Compromise: How Cisco Engineers Used Machine Learning to Solve an Impossible…

How to Connect Yi IoT Camera to WiFi

yi iot camera

Security Risks of using collaboration tools for your Business

DamoTalks #50 Recap: AMA With Interlock

COVID-19 Malware Analysis

{UPDATE} 僕の妹が死んだ。 Hack Free Resources Generator

Subtle Information Hackers Find in the Background of Your Social Media Photos

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Derk van der Woude

Derk van der Woude

Chief Technology Officer @ Nedscaper

More from Medium

Logic Apps and Azure Active Directory

Understanding and Protecting local authentication for Azure services — Part 1

Setup Azure Sentinel SIEM

How Azure Resource Manager simplifies management of your Azure resources