Tuesday, April 16, 2024

Microsoft Warns of Azure Bug That Let Attackers take Control of Azure Container Instances (ACI)

The security analysts of the Palo Alto Networks have recently pronounced about a new vulnerability that has been named Azurescape. According to the report, the issue involved the Azure Container Instances, a cloud service that enables companies to deploy packaged applications (containers) in the cloud.

However, the security experts asserted that this issue allotted a malicious container to hijack different other containers that were held by different platform users. 

Not only this, but they also affirmed that the threat actors exploiting Azurescape could enable them to execute commands in someone else’s containers and obtain access to all data from other clients. 

Potentially affected Azure Container Instances accounts

There is no proper indication that any customer data was being obtained because of this vulnerability. But the report claimed that just for safety and more precaution specific notifications have been sent to customers that were being potentially affected by the researcher’s activities. 

Moreover, they also suggest that the privileged credential was extended to the platform before August 31, 2021.

Background on Azure Container Instances

Azure Container Instances (ACI) was initially published in July 2017, and it was the very first Container-as-a-Service (CaaS) that has been contributed by a major cloud provider. 

But, the ACI, customers can easily use the containers to Azure outwardly maintaining the whole foundation. So, the ACI  generally has concerns regarding:- 

  • Scaling
  • Request routing
  • Scheduling
  • Implementing a serverless experience for all kinds of containers

Scouting the Node Environment

After checking all the nodes carefully the security researchers stated that they have verified that their container was the only customer container. 

However, they have utilized the Kubelet credentials, and not only this but they have also listed the pods and nodes in the cluster.

According to the analysts, the cluster received about 100 customer pods and had nearly 120 nodes. Moreover, every customer has appointed a Kubernetes namespace where their pod ran the caas-d98056cf86924d0fad1159XXXXXXXXXX.

Kubernetes CVE-2018-1002102

The API-server infrequently stretches out to Kubelets, but, the CVE-2018-1002102 marks a security problem in how the API-server is acquainted with Kubelets and it has also accepted redirects. 

However, by redirecting the API-server’s send requests to another node’s Kubelet, a malicious Kubelet can develop into a cluster. 

Influence of the Attack and fix

The malicious Azure user can easily compromise the multitenant Kubernetes clusters that are hosting ACI and the cluster administrator.

While the threat actors could perform commands in other customer containers, as well as it can also exfiltrate codes and private images that are extended to the platform, or deploy crypto miners. 

Not only this but a sophisticated adversary would examine detection tools that are protecting ACI as it will help to avoid getting caught.

How to secure ACI?

Apart from this, cybersecurity analysts have suggested some points that will help the users to keep the ACI secure.

They recommend withdrawing any privileged credentials that were extended to the platform before August 31st, 2021.

There are some common areas to define configuration and codes for container groups and that includes the following things:-

  • Environment Variables
  • Secret Volumes
  • Azure file share
  • Consult these security best methods resources 
  • Azure Container Instances Security Baseline 
  • Azure Container Instances Security Considerations 
  • Always keep urself updated regarding security-related notifications like this one by configuring Azure Service Health Alerts. 

This kind of malware is quite dangerous in nature, and it puts a huge impact on the users, so, Azurescape is proof that it can put a lot of effect on the users.

Therefore all the Cloud providers spend massively in ensuring their platforms, but it’s also true that the unknown zero-day vulnerabilities would exist and put clients in danger.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles