Thursday, May 1, 2025
HomeAzureResearchers Backdoored Azure Automation Account Packages And Runtime Environments

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Published on

SIEM as a Service

Follow Us on Google News

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages.

While base system-generated environments can’t be directly modified, they can be indirectly changed by adding packages to the old experience and then switching to the new Runtime Environments feature. 

It could potentially be exploited by attackers who create new runtime environments with malicious packages and assign them to target runbooks. To mitigate this risk, it’s crucial to carefully manage and secure runtime environments and avoid using untrusted packages.

- Advertisement - Google News
Runtime Environments
Runtime Environments

For the PowerShell proof of concept, they created a custom package named PowerUpSQL, similar to an existing package.

This package will contain two files: a psd1 file defining the module structure and a psm1 file containing the code. 

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

The psm1 file will include functions to generate a Managed Identity token for the Automation Account and exfiltrate it via HTTP to a specified URL, which can be customized by replacing the hardcoded URL in the example files.

The complete package will be in the “Misc/Packages” folder of the MicroBurst repository.

The PowerShell script module, `PowerUpSQL`, defines a function named `a` that retrieves a token from Azure Active Directory using the System-Assigned Managed Identity and sends it to a specified callback URL via a POST request. 

This function is exported from the module along with metadata, including the module version, GUID, author, company, copyright, and exported functions, cmdlets, variables, and aliases.

The module’s root module file is `PowerUpSQL.psm1`, and the manifest file is `PowerUpSQL.psd1`.

It describes creating a malicious Python package, which includes a directory with an `__init__.py` file and other modules with using a specific tool, aws_consoler, as the target module. 

The text highlights the need to adjust dependencies based on the intended use potentially. Overall, it outlines the setup for a malicious Python package.  

Modules
Modules

It showcases a malicious Python package named “aws_consoler.” The `setup.py` file configures metadata for distribution, while the `aws_consoler.py` script retrieves a token from a predefined URL using environment variables and sends it to another malicious endpoint. 

The old method of uploading modules and Python packages involves selecting a file, specifying a Runtime version, and naming the package. This method can be used in both old and new system-generated environments. 

Burpsuite result
Burpsuite result

Users can add packages to modify an existing Runtime Environment, but this might not work for system-generated environments.

Creating a new environment allows more flexibility in adding packages but requires moving runbooks.

To use malicious packages in Azure Automation, add them to the Automation Account or Runtime Environment and call them in a runbook. For PowerShell, add a line to call the function, possibly obfuscating the function name. 

According to NetSPI, import the `aws_consoler` package for Python, schedule runbooks to regularly check in with a token, and consider creating webhooks for runbooks to establish persistence.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Quantum Computing and Cybersecurity – What CISOs Need to Know Now

As quantum computing transitions from theoretical research to practical application, Chief Information Security Officers...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...