"Completely invisible"
SafeBreach experts demonstrated the ability to create a completely undetectable cryptominer for cloud environments. This idea should obviously cause tension for both cloud vendors and their customers.
The proposed experimental cryptominer abuses the Microsoft Azure Automation service while remaining invisible.
SafeBreach experts said that they found three new ways to launch such a miner at once. One of them allows you to implement it unnoticed in the client environment, without attracting any attention.
"While this study is of great importance because of its potential impact on cryptocurrency generation in general, we suspect that it will have an impact on other areas, since the same methods can be used to run any task that involves executing code in an Azure environment," said the company's information security expert. SafeBreach Ariel Gamrian.
The research published by SafeBreach focuses mainly on finding the "perfect cryptominer" that will offer unlimited access to computing resources, require minimal or no maintenance, cost nothing, and be undetectable.
Azure Automation Features
This was implemented using certain features of the Azure Automation cloud automation service. This service helps you automate the creation, deployment, monitoring, and maintenance of resources in Azure.
SafeBreach experts said that they found a bug in the Azure cost calculator, which allowed running an unlimited number of tasks in parallel for free, although only in a local environment (that is, owned by an attacker).
Microsoft soon fixed the problem, notes The Hacker News.
Another method boils down to a trial run of a mining task, and immediately assigning it a "failed" status; immediately after this, you can create another such trial run and take advantage of the fact that only one "probe"can exist at any given time.
As a result, running the desired code can be hidden in the Azure environment until it is completely invisible.
A potential attacker can use these methods by establishing a reverse shell connection to an external server and logging in to the endpoint where the automation service operates.
Third way
The third method is most dangerous: a potential attacker can use a standard feature that allows you to download arbitrary Python packages using Azure Automation.
"We could create a malicious package called pip and upload it to the Automation account. As a result of such loading, the legitimate pip package turned out to be overwritten by our version. And after that, the service used it for each upload of new packages, " explains Gamrian.
SafeBreach published an experimental CloudMiner miner that captures free computing power in Azure Automation using the Python package loading mechanism.
Microsoft said that this is a planned behavior of the system, which means that potential attackers still have the opportunity to use these free capacities to generate cryptocurrencies-and for free.
"A parasitic cryptominer that cannot be detected is a nightmare scenario for both cloud users and vendors," says Dmitry Peshkov, an information security expert at SEQ. According to him, it will consume free, but not free cloud resources, causing potentially unlimited damage. "Well, the most unpleasant thing is that at least one method of using a cryptominer uses regular Azure functions that will not be fixed - that is, the vector will remain open for an unlimited time," Dmitry Peshkov summed up.
The study has so far been limited to cryptomining abuses within Azure. SafeBreach specialists are confident that they can use the same techniques for other purposes, which involve running arbitrary code in Microsoft cloud environments.
The company strongly recommends that you proactively monitor all resources and any actions performed in cloud environments, and investigate indirect signs of the presence of a miner. First of all, you should pay attention to running the characteristic code - because you will not be able to find it directly.
SafeBreach experts demonstrated the ability to create a completely undetectable cryptominer for cloud environments. This idea should obviously cause tension for both cloud vendors and their customers.
The proposed experimental cryptominer abuses the Microsoft Azure Automation service while remaining invisible.
SafeBreach experts said that they found three new ways to launch such a miner at once. One of them allows you to implement it unnoticed in the client environment, without attracting any attention.
"While this study is of great importance because of its potential impact on cryptocurrency generation in general, we suspect that it will have an impact on other areas, since the same methods can be used to run any task that involves executing code in an Azure environment," said the company's information security expert. SafeBreach Ariel Gamrian.
The research published by SafeBreach focuses mainly on finding the "perfect cryptominer" that will offer unlimited access to computing resources, require minimal or no maintenance, cost nothing, and be undetectable.
Azure Automation Features
This was implemented using certain features of the Azure Automation cloud automation service. This service helps you automate the creation, deployment, monitoring, and maintenance of resources in Azure.
SafeBreach experts said that they found a bug in the Azure cost calculator, which allowed running an unlimited number of tasks in parallel for free, although only in a local environment (that is, owned by an attacker).
Microsoft soon fixed the problem, notes The Hacker News.
Another method boils down to a trial run of a mining task, and immediately assigning it a "failed" status; immediately after this, you can create another such trial run and take advantage of the fact that only one "probe"can exist at any given time.
As a result, running the desired code can be hidden in the Azure environment until it is completely invisible.
A potential attacker can use these methods by establishing a reverse shell connection to an external server and logging in to the endpoint where the automation service operates.
Third way
The third method is most dangerous: a potential attacker can use a standard feature that allows you to download arbitrary Python packages using Azure Automation.
"We could create a malicious package called pip and upload it to the Automation account. As a result of such loading, the legitimate pip package turned out to be overwritten by our version. And after that, the service used it for each upload of new packages, " explains Gamrian.
SafeBreach published an experimental CloudMiner miner that captures free computing power in Azure Automation using the Python package loading mechanism.
Microsoft said that this is a planned behavior of the system, which means that potential attackers still have the opportunity to use these free capacities to generate cryptocurrencies-and for free.
"A parasitic cryptominer that cannot be detected is a nightmare scenario for both cloud users and vendors," says Dmitry Peshkov, an information security expert at SEQ. According to him, it will consume free, but not free cloud resources, causing potentially unlimited damage. "Well, the most unpleasant thing is that at least one method of using a cryptominer uses regular Azure functions that will not be fixed - that is, the vector will remain open for an unlimited time," Dmitry Peshkov summed up.
The study has so far been limited to cryptomining abuses within Azure. SafeBreach specialists are confident that they can use the same techniques for other purposes, which involve running arbitrary code in Microsoft cloud environments.
The company strongly recommends that you proactively monitor all resources and any actions performed in cloud environments, and investigate indirect signs of the presence of a miner. First of all, you should pay attention to running the characteristic code - because you will not be able to find it directly.
