Cloud Hacking: The Azure Cyber Kill Chain - Part 1
Cloud Hacking: The Azure Cyber Kill Chain - Part 1
Microsoft Azure is one of the leading cloud platforms and is used by organisations around the world. However, like any IT infrastructure, Azure is not free from security risks. Cybercriminals use a variety of attack techniques to gain unauthorised access and spread throughout the cloud environment.
One technique to describe these attack strategies is the Azure Kill Chain. Similar to the classic cyber kill chain, it illustrates the different stages of an attack on an Azure environment - from initial reconnaissance to data theft.
This series of articles looks at each step in the kill chain.
Overview of the Azure Kill Chain
An attack on Azure infrastructures can be broken down into several phases:
Reconnaissance – Cybercriminals gather specific information about the target environment in order to identify potential vulnerabilities.
Initial Access – The information gathered is used to identify entry points into the Azure environment are being identified.
Enumeration – After successfully gaining access, cybercriminals analyse the environment to locate high-value resources and privileged identities.
Privilege Escalation – By exploiting misconfigurations or vulnerabilities, attempts are made to gain higher privileges.
Lateral Movement – Once elevated privileges have been achieved, attackers move within the cloud environment to potentially gain control of other systems or applications.
Persistence – Implementating mechanisms to maintain access to the system at a later date or after its detection.
Data Mining – Systematic search for sensitive data, often combined with an attempt to transfer it unnoticed at best.
Defense Evasion – In order to avoid detection, activities are concealed and possible evidence is removed.
In this Insight, we will focus on the first two phases: Reconnaissance and Initial Access.
1. Reconnaissance – The awareness phase
In the first phase, the cybercriminal gathers specific information about the target to identify potential entry points. In cloud environments like Azure, this process differs from traditional IT networks: While traditional networks use techniques such as port scans or domain enumeration for reconnaissance, in Azure, attackers can often gain valuable information about the infrastructure through publicly available services, APIs, and metadata sources - without direct access to the network.
Typical Recon techniques in Azure
General information about an Azure instance (a so-called tenant) can be obtained relatively conveniently and anonymously - all that is needed is the name of the tenant, which can often be determined from permutations of the company name. This name can be used to call the following URL to obtain, among other things, the tenant ID, which may be relevant for further attack vectors:
https://login.microsoftonline.com/<domain>/.well-known/openid-configuration
This endpoint provides the tenant's OpenID configuration information. This includes details such as the issuer and other metadata that a criminal actor can use as a starting point for further attacks.
User regeneration is also very simple. If single sign-on (SSO) is used, the following API endpoint can be used to check whether a particular user account exists.
login.microsoftonline.com/common/GetCredentialType
If Azure services are also being used, the enumeration of subdomains opens up further possibilities: Azure services are typically accessible through fixed URL patterns. For example, App Services can usually be found under the domain *.azurewebsites.net and Blob Storage accounts under *.blob.core.windows.net. In each case, the asterisk (*) is replaced with the individually assigned resource name. For example, a Blob Storage account named CompanyName-Prod-Storage1 would be accessible at CompanyName-Prod-Storage1.blob.core.windows.net. It is also common to find these URLs in the source code of web pages.
Tools such as MicroBurst and AADInternals are used to support this process. They make it possible to gather general tenant information, enumerate services and identify users with just a few commands.
While there are many other ways to gather information about cloud environments, these approaches already illustrate the risks associated with the public availability of cloud services.
2. Initial Access – The first entrance
Once enough information has been gathered, the next step is to find an initial entry point. This is often the most important stage, as it determines whether the attack can be successful.
Phishing is one of the most common types of attack. In addition to classic phishing emails, which trick users with fake messages, there is a sophisticated variant that is often used in Microsoft cloud environments: the so-called consent-grant attack. In this attack, users are tricked into granting extensive access rights to an application without fully understanding the implications. This gives criminals indirect access to sensitive data as the granted permissions allow them to move around the cloud environment undetected. A detailed analysis of such an attack will be discussed in more detail in a forthcoming technical report. In addition to the consent-granting attack, there is another method, device code phishing, which will also be analysed in more detail in a follow-up article on multi-factor login attacks.
In addition, the classic brute force attack, i.e. the systematic testing of passwords, remains a commonly used method. A more advanced variant is password spraying, where a small number of commonly used passwords are tested across many accounts to avoid blocking and detection of the attack.
However, Azure resources are also vulnerable to exploitation. In the first part of this article, we talked about storage account enumeration. Storage accounts can be misconfigured to expose data to public endpoints, often without sufficient access controls. For example, overly broad shared access signatures (SAS) or incorrectly set permissions can lead to sensitive data being accessed inadvertently. Storage account versioning, if enabled, can also be of interest to cybercriminals. It makes it possible to restore supposedly deleted files, meaning that even old or supposedly deleted data can fall into the wrong hands.
These attack vectors are only a small part of the possible threats. There are many others, including token theft, session hijacking, managed identity theft and data leakage.
Conclusion & future perspectives
The first two steps in the Azure kill chain - Reconnaissance and Initial Access - are critical to the success of an attack. In this article, we've seen how attackers gather information about an Azure environment and identify initial access points.
The next article will take a closer look at the following steps:
- Enumeration - What resources are of interest?
- Privilege escalation - How does the attacker gain elevated privileges?
Until then: Secure your Azure environment! Enable MFA, audit public resources, and make sure you are not granting unnecessary privileges.