Methodology

Within cloud storage services, we witness users sharing various file types, such as Microsoft Office and Adobe files, and attackers taking advantage of this to deliver malware through email. Moreover, use cases of cloud storage go beyond internal interfaces, with business logic being shared with third parties. Therefore, the Azure Defender for Storage security team has mapped the attack surface undertaken by leveraging Storage service.

This post reflects our findings based on the MITRE ATT&CK® framework, which is a knowledge base for tactics and techniques employed in cyberattacks. MITRE matrices have become an industry standard and are embraced by organizations aiming to understand potential attack vectors in their environments and to ensure they have adequate detections and mitigations in place.

While analyzing the security landscape of storage, and applying the same methodology we defined for Kubernetes, we noticed the resemblance and differences across techniques. Whilst Kubernetes underlies an operating system, its threat matrix is structured like MITRE matrices for Linux or Windows. Aiming to address the entire attack surface for storage, from data loss prevention (DLP) and sensitive content exposure to uncovering malicious content distribution over a file share Server Message Block (SMB), we adjusted the enterprise tactics to fit a data service.

The threat matrix stages

We expect this matrix to dynamically evolve as more threats are discovered and exploited, and techniques can also be deprecated as cloud infrastructures constantly progress towards securing their services. Below we will address each of the threat matrix stages in more detail.

Figure 1:  Threat matrix for Storage.

Stage 1: Reconnaissance

Adversaries are trying to gather information they can use to plan future operations. Reconnaissance consists of techniques that involve actively or passively gathering information that can be used to support targeting.

• Storage account discovery: Adversaries may enumerate storage account names (or leverage an existing enumeration process) to find an active storage account. Examples of such methods can vary from search dorks (site:*.blob.core.windows.net) to brute-force account creations. Adversaries can also employ crawler results or leverage public toolkits, such as Microburst and BlobHunter.
• Public containers discovery: Adversaries may enumerate container names (or leverage an existing enumeration process) for an already known storage account. Adversaries can employ crawler results or leverage public toolkits, such as Microburst and BlobHunter.

Stage 2: Initial access

Adversaries are trying to get into your network. Initial access consists of techniques that use various entry vectors to gain their initial foothold within a network. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited use due to changing passwords or keys.

• Valid SAS URI: A shared access signature (SAS) is a uniform resource identifier (URI) that grants restricted access rights to storage resources. Adversaries may steal a SAS URI using one of the Credential Access techniques or capture a SAS URI earlier in their reconnaissance process through social engineering to gain initial access. Adversaries may also leverage identity and access management (IAM) privileges to generate a valid SAS offline based on a stolen storage account key.
• Valid access key: Adversaries may steal an access key using one of Credential Access techniques or capture one earlier in their reconnaissance process through social engineering to gain initial access. Adversaries may leverage keys left in source code or configuration files. Sophisticated attackers may also obtain keys from hosts (virtual machines) that have mounted File Share on their system (SMB).
• Valid Azure Active Directory (Azure AD) principal: Adversaries may steal account credentials using one of the Credential Access techniques or capture an account earlier in their reconnaissance process through social engineering to gain initial access. An authorized Azure AD account/token can result in full control of storage account resources.
• Use of public access: Adversaries may leverage publicly exposed storage accounts to list containers/blobs and their properties, information that can be beneficial as the attack advances. Adversaries may employ application programming interfaces (APIs), such as the List Blobs This technique is oftentimes reported as the exploitation vector used in targeted campaigns.

Stage 3: Persistence

Adversaries are trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across changed credentials and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems.

• Firewalls and Virtual Networks configuration changes: Storage services offer a set of built-in security features. Administrators can leverage these capabilities to restrict access to storage resources. Restriction rules can operate at the IP level. When network rules are configured, only requests originated from authorized subnets will be served. Adversaries may insert additional rules to ensure persistent access.
• Role-based access control (RBAC) changes: Storage services offer built-in RBAC roles that encompass sets of permissions used to access different data types. Definition of custom roles is also supported. Upon assignment of an RBAC role to an identity object (like Azure AD security principal) the storage provider grants access to that security principal. Adversaries may leverage the RBAC mechanism to ensure persistent access to their owned identity objects.

Stage 4: Defense evasion

Adversaries are trying to avoid being detected. Defense evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include abuse trusted processes to hide and masquerade their malicious intents. Other tactics’ techniques are cross-listed here and include the added benefit of subverting defenses.

• Firewalls and Virtual Networks configuration changes: Storage services offer a set of built-in security features. Administrators can leverage these capabilities to restrict access to storage resources. Restriction rules can operate at the IP level. When network rules are configured, only requests originated from authorized subnets will be served. Adversaries may insert additional rules to masquerade and/or legitimatize their data exfiltration channel.
• RBAC changes: Storage services offer built-in RBAC roles that encompass sets of permissions used to access different data types. Definition of custom roles is also supported. Upon assignment of an RBAC role to an identity object (like Azure AD security principal) the storage provider grants access to that security principal. Adversaries may leverage the RBAC mechanism to disguise their activities as typical within a compromised environment.
• Storage data clone: Storage services offer different types of cloning or backup data stored on them. Adversaries may abuse these built-in capabilities to steal sensitive documents, source code, credentials, and other business crucial information. This technique was employed as part of Capital One data theft.
• Data transfer size limits: Adversaries may fragment stolen information and exfiltrate it on different size chunks to avoid being detected by triggering potentially predefined transfer threshold alerts.
• Automated exfiltration: Adversaries may exploit legitimate automation processes, predefined by the compromised organization, with the goal of having their logging traces blend in normally within the company’s typical activities. Assimilating or disguising malicious intentions will keep adversary actions, such as data theft, stealthier.
• Access control list (ACL) modification: Adversaries may adjust ACL configuration at the granularity of specific a blob or container, to secure a channel to exfiltrate stolen data. These ACL modifications occur at the control-plane level, which is oftentimes overlooked. By narrowing existing exposure restrictions, adversaries may infiltrate an organization’s internal and sensitive resources.

Stage 5: Credential Access

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

• Access query key: Adversaries may leverage subscription/account-level access to gather storage account keys and use these keys to authenticate at the resource level. This technique exhibits cloud resource pivoting in combination with control management and data planes. Adversaries can query management APIs to fetch primary and secondary storage account keys.
• Access Cloud Shell profiles: Cloud Shell is an interactive, authenticated, browser-accessible shell for managing cloud resources. It provides the flexibility of shell experience, either Bash or PowerShell. To support the Cloud Shell promise of being accessible from everywhere, Cloud Shell profiles and session history are saved on storage account. Adversaries may leverage the legitimate use of Cloud Shell to impersonate account owners and potentially obtain additional secrets logged as part of session history.

Stage 6: Discovery

Adversaries are trying to figure out your environment. Discovery consists of techniques adversaries may use to gain knowledge about the system. These techniques help adversaries observe the environment and orient themselves before deciding how to act. Tools witnesses, at the reconnaissance phase, are often used toward this post-compromise information-gathering objective.

• Storage service discovery: Adversaries may leverage subscription/account-level access to discover storage properties and stored resources. Tools witnessed, at the reconnaissance phase, are oftentimes used toward this post-compromise information-gathering objective, now with authorization to access storage APIs, such as the List Blobs call.

Stage 7: Lateral movement

Adversaries are trying to move through your environment. Lateral movement consists of techniques that adversaries use to enter and control remote systems on a network. Reaching their objective often involves pivoting through multiple systems and accounts to gain access. Adversaries may install their own remote access tools (RAT) to accomplish lateral movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

• Malicious content upload: Adversaries may use storage services to store a malicious program or toolset that will be executed at later times during their operation. In addition, adversaries may exploit the trust between users and their organization’s Storage services by storing phishing content. Furthermore, storage services can be leveraged to park gathered intelligence that will be exfiltrated when terms suit the actor group.
• Malware distribution: Storage services offer different types of mechanisms to support auto-synchronization between various resources and the storage account. Adversaries may leverage access to the storage account to upload malware and benefit from the auto-sync built-in capabilities to have their payload being populated and potentially weaponize multiple systems.
• Trigger cross-service interaction: Adversaries may manipulate storage services to trigger a compute service (like Azure Functions/AWS Lambda triggers), where an attacker already has a foothold on a storage container and can inject a blob that will initiate a chain of a compute process. This may allow an attacker to infiltrate another resource and cause harm.
• Data manipulation: Content stored on a storage service may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Upon execution by a legitimate user of tainted content, the malicious portion runs the adversary’s code on a remote system. Adversaries may use tainted shared content to move laterally.
• Access Cloud Shell profiles: Cloud Shell is an interactive, authenticated, browser-accessible shell for managing cloud resources. It provides the flexibility of shell experience, either Bash or PowerShell. To support the Cloud Shell promise of being accessible from everywhere, Cloud Shell profiles and session history are saved on storage account. Adversaries may leverage the legitimate use of Cloud Shell to impersonate account owners and potentially obtain additional secrets logged as part of session history.

Stage 8: Exfiltration

Adversaries are trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically includes transferring it over their command-and-control channel or an alternative channel and may also include putting size limits on the transmission.

• Storage data clone: Storage services offer different types of cloning or backup data stored on them. Adversaries may abuse these built-in capabilities to steal sensitive documents, source code, credentials, and other business crucial information. This technique has been employed as part of data theft previously.
• Data transfer size limits: Adversaries may fragment stolen information and exfiltrate it on different size chunks to avoid being detected by triggering potentially predefined transfer threshold alerts.
• Automated exfiltration: Adversaries may exploit legitimate automation processes, predefined by the compromised organization, with the goal of having their logging traces blend in normally within the company’s typical activities. Assimilating or disguising malicious intentions will keep adversary actions, such as data theft, stealthier.
• ACL modification: Adversaries may adjust ACL configuration at the granularity of a specific blob or container, to secure a channel to exfiltrate stolen data. These ACL modifications occur at the control-plane level, which is oftentimes overlooked. By narrowing existing exposure restrictions, adversaries may infiltrate an organization’s internal and sensitive resources.

Stage 9: Impact

Adversaries are trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

• Data corruption: Adversaries may corrupt data stored on storage services to disrupt the availability of systems or other lines of business.
• Data encryption for impact (ransomware): Adversaries may encrypt data stored on storage services to disrupt the availability of systems or other lines of business. Making resources inaccessible by encrypting files or blobs and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware).

Get started today

Understanding the attack surface of data-focused services is the first step of building security solutions for these environments. The threat matrix for storage can help organizations identify gaps in their defenses. We encourage you to try Azure Defender for Storage and start protecting against potential threats targeting your blobs, containers, and file shares. Azure Defender for Storage should be enabled on storage accounts storing sensitive information. For a list of the Azure Defender for Storage alerts, see the reference table of alerts.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat matrix for storage services appeared first on Microsoft Security Blog.

The term “Living off the land,” or LoL in short, is used to describe attackers leveraging built-in utilities to carry out attacks. LoLBins usually refer to pre-installed Windows or Linux binary tools that are normally used for legitimate purposes, but on compromised resources, can be leveraged by attackers. This tactic challenges defenders aiming to distinguish between the dual uses of these tools.

The usage of LoLBins is frequently seen, mostly combined with fileless attacks, where attacker payloads surreptitiously persist within the memory of compromised processes and perform a wide range of malicious activities. Together with the use of legitimate LoLBins, attackers’ activities are more likely to remain undetected.

Attackers are increasingly employing stealthier methods to avoid detection. Evidence for a variety of campaigns has been witnessed. Please find a detailed overview of how such an attack unfolds, along with recommendations on how to detect malicious LoLBins’ activities on Windows.

Azure LoLBins

The concept of LoLBins is not limited to traditional operation systems. In this post, we explore different types of Azure Compute virtual machine extensions, which are small applications that provide post-deployment configuration and automation tasks on Azure Virtual Machines. For example, if a virtual machine requires software installation, anti-virus protection, or to run a script inside of it, a virtual machine (VM) extension can be used.

Custom Script Extension downloads and executes scripts on Azure Virtual Machines, Anti-Malware extension for Windows warps different configuration types and applies them into Windows Defender, and VMAccess Extension manages administrative users, SSH keys and enables recovery features such as resetting the administrative password of a virtual machine (VM).

All these extensions serve thousands of administrators coming to orchestrate their Azure fleet. But in cases where an attacker assumes certain roles within a subscription, these Azure built-in capabilities will come in handy bypassing any network defense lines. Therefore, we named them Azure LoLBins.

How does it work?

Every image on Azure Marketplace contains an Azure guest agent implanted into it (VM Agent). The guest agent is a secure, lightweight process that manages VM interaction with the Azure Fabric Controller. The VM Agent has a primary role in enabling and executing Azure Virtual Machine extensions. Without the Azure VM Agent, VM extensions cannot be run.

The Guest Agent is responsible for managing VM extension operations such as installing, reporting status, updating individual extensions, and removing them. Extension packages are downloaded from the Azure Storage extension repository by the guest agent through communication with Azure fabric (over channel to 168.63.129.16).

To perform its tasks, the guest agent runs a Local System. Consequently, payloads of extensions, such as Custom Script Extension and Run Command, run on Azure Virtual Machines with extensive privileges on the local computer.

Impact

In this section, we will examine several behaviors we recently witnessed that demonstrate the exceptionality and potential strength of the VM extensions, making the specific Azure IAM roles, containing the rights to call them a lucrative target for attackers.

Case 1: Custom Script Extension

Custom Script Extension downloads and executes scripts on Azure Virtual Machines. This extension is useful for post-deployment configuration, software installation, or any other configuration or management tasks. Scripts can be downloaded from Azure Storage or GitHub, or provided to the Azure portal at extension run time. The Custom Script Extension can be run using the Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API.

Usage of Custom Script Extension was seen spanning across different customers to fetch an executable from the same GitHub repository. We followed the traces to GitHub, finding the repository in question being publicly accessible allowed us to confirm the suspicion. The code intention within the executed payload (hack1.sh, see snippet below) is to mine cryptocurrency.

This behavior was observed across multiple customers from different countries within a noticeably short timeframe, together with the GitHub repository being inactive increased our suspicion this activity should not be associated with normal pen-test, red-team, or intended activity.

Case 2: VMAccess Extension

VMAccess Extension can create new administrator accounts, reset the password of an existing administrator account, reset the built-in administrator account and or reset the Remote Desktop service Configuration. Moreover, for Linux VMs, the extension can reset SSH public keys. Furthermore, similarly to other extensions, the VMAccess Extension can be executed through the Azure portal, Azure CLI, Powershell, or the Azure Virtual Machine REST API.

VM Access is extremely useful when managing your VMs. As an example, for Linux servers, an alternative would be to connect to the VM and execute the equivalent commands manually. Hence, it is one of the most accessible extensions due to its simplified user interface (UI) which you can access from the Azure Portal.

There is no doubt that the VMAccess Extension is a handy way for an attacker to gain initial access to VMs with elevated privileges. Such notorious usages of the extension may sometimes be difficult to notice. As an example, leveraging VM Access to create a common service user or modifying an existing one.

Case 3: Antimalware Extension

Microsoft Antimalware Extension for Azure is a free real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. Microsoft Antimalware for Azure is a single-agent solution designed to run in the background without human intervention.

The Microsoft Antimalware for Azure solution includes the Microsoft Antimalware Client and Service, and when used in Windows environment with Windows Defender enabled, the extension will apply any optional configuration policies to be used by Windows Defender, the extension will not deploy any additional antimalware service.

While experimenting with Microsoft Defender for Endpoint alerts for Windows and usage of the Anti-Malware extension, we noticed a correlation between alerts fired on the node followed by API calls to Azure Resource Manager. This orchestrates VM extensions, with configurations to the Anti-Malware extension that excluded the same alert-triggered payloads from being scanned in the future.

Using the Anti-Malware extension, attackers can potentially also disable the real-time protection before loading suspectable tools into the node or exclude specific files and directories for going unnoticed while conducting their malicious activity. Enjoying the benefit that Azure Resource Manager logs was rarely crossed in correlation to in-node telemetry.

Learn more

Microsoft recommends you implement detection and mitigation strategies to minimize exposure to new threats the Cloud brings. Azure Defender goes deep into dissecting attack techniques in order to define and build a depth protection plan.

Detection

Azure Defender has expanded its threat detection capabilities and recently introduced Azure Defender for Resource Manager, a new coverage for Azure deployment and management service. Every request to the Azure Resource Manager Endpoint on management.azure.com is logged and analyzed to reveal malicious intentions and threats.

Azure Defender for Resource Manager monitors all resource management operations performed in your organization performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Azure Defender runs advanced security analytics to detect threats and alert you when suspicious activity occurs. For a list of the Azure Defender for Resource Manager alerts, see the reference table of alerts.

Mitigation

Least privilege principle is a fundamental concept in Cloud environments. Ensuring that minimum access necessary to perform a legitimate operation would be granted to all identity types (human or non-human). A least privilege model for the cloud relies on the ability to continuously adjust access controls. We recommend monitoring all access events and establish a decision-making framework that distinguishes between legitimate and excessive permissions.

Get started for free today

Protect your entire Azure environment with a few clicks and enable Azure Defender for Resource Manager. This offer is free during the preview period. Turn Azure Defender on now.

To learn more about Microsoft Security solutions and our Integrated Threat protection solution visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure LoLBins: Protecting against the dual use of virtual machine extensions appeared first on Microsoft Security Blog.