Saturday, December 14, 2024
HomeAzureResearchers Backdoored Azure Automation Account Packages And Runtime Environments

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Published on

SIEM as a Service

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages.

While base system-generated environments can’t be directly modified, they can be indirectly changed by adding packages to the old experience and then switching to the new Runtime Environments feature. 

It could potentially be exploited by attackers who create new runtime environments with malicious packages and assign them to target runbooks. To mitigate this risk, it’s crucial to carefully manage and secure runtime environments and avoid using untrusted packages.

- Advertisement - SIEM as a Service
Runtime Environments
Runtime Environments

For the PowerShell proof of concept, they created a custom package named PowerUpSQL, similar to an existing package.

This package will contain two files: a psd1 file defining the module structure and a psm1 file containing the code. 

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

The psm1 file will include functions to generate a Managed Identity token for the Automation Account and exfiltrate it via HTTP to a specified URL, which can be customized by replacing the hardcoded URL in the example files.

The complete package will be in the “Misc/Packages” folder of the MicroBurst repository.

The PowerShell script module, `PowerUpSQL`, defines a function named `a` that retrieves a token from Azure Active Directory using the System-Assigned Managed Identity and sends it to a specified callback URL via a POST request. 

This function is exported from the module along with metadata, including the module version, GUID, author, company, copyright, and exported functions, cmdlets, variables, and aliases.

The module’s root module file is `PowerUpSQL.psm1`, and the manifest file is `PowerUpSQL.psd1`.

It describes creating a malicious Python package, which includes a directory with an `__init__.py` file and other modules with using a specific tool, aws_consoler, as the target module. 

The text highlights the need to adjust dependencies based on the intended use potentially. Overall, it outlines the setup for a malicious Python package.  

Modules
Modules

It showcases a malicious Python package named “aws_consoler.” The `setup.py` file configures metadata for distribution, while the `aws_consoler.py` script retrieves a token from a predefined URL using environment variables and sends it to another malicious endpoint. 

The old method of uploading modules and Python packages involves selecting a file, specifying a Runtime version, and naming the package. This method can be used in both old and new system-generated environments. 

Burpsuite result
Burpsuite result

Users can add packages to modify an existing Runtime Environment, but this might not work for system-generated environments.

Creating a new environment allows more flexibility in adding packages but requires moving runbooks.

To use malicious packages in Azure Automation, add them to the Automation Account or Runtime Environment and call them in a runbook. For PowerShell, add a line to call the function, possibly obfuscating the function name. 

According to NetSPI, import the `aws_consoler` package for Python, schedule runbooks to regularly check in with a token, and consider creating webhooks for runbooks to establish persistence.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...