Attackers could use a “design flaw” discovered in Microsoft Azure to gain access to storage accounts, move laterally within the system, and even execute remote code. These goals could be achieved by exploiting the bug.
“It is possible to abuse and use Microsoft storage accounts by manipulating Azure functions to steal access tokens from higher privileged identities, move laterally, possibly access important company assets, and remote code execute (RCE)” , claimed Orca in a recent study that was shared “This can be achieved by abusing and using Azure Functions”.
The exploit route that forms the basis of this attack is a system known as shared key authorization. Storage accounts have this mechanism enabled by default, so it can be easily exploited.
Microsoft claims that when you create a storage account in Azure, two access keys with a total length of 512 bits are automatically generated. These keys can be used to authorize access to data through the shared key authorization protocol or by using SAS tokens that have been signed with the shared key.
According to the cloud security company, it is possible to steal these access tokens by manipulating Azure functions. This could make it possible for a threat actor with access to an account with the Storage Account Contributor role to increase privileges and take control of systems.
If a managed identity were used to activate the Function app, for example, it could be used incorrectly to execute any command. When you deploy an Azure function app, a dedicated storage account for the app is automatically generated. This, in turn, makes it feasible to do what we have just discussed.
After an adversary has discovered the storage account of a function app that has been given a strong managed identity, they can execute code on behalf of the app and, as a consequence, gain an increase in their subscription privileges ( PE).
In other words, a threat actor can increase their privileges, move laterally, access additional resources, and even reverse-shell virtual machines by exfiltrating the access token of the managed identity that is assigned to the Azure Function application and sending it to a remote server.
To laterally travel, exploit, and compromise victims’ most valuable crown jewels, an attacker can steal and exfiltrate a privileged identity by altering role files in storage accounts, according to Nisimi.
It is recommended that enterprises consider removing shared key authorization from Azure and instead adopting Azure Active Directory authentication as a mitigation strategy. Microsoft said in a coordinated disclosure that it “plans to improve how the Functions client tools work with storage accounts.” This statement was made in reference to the company’s upcoming changes.
“Among them are modifications to provide improved support for use cases that use identities. Once the new experiences have been validated and identity-based connections for AzureWebJobsStorage are generally available, identity will become the default mode for AzureWebJobsStorage. This is intended to move away from shared key authorization, which has been the current mode,” the tech giant explained.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad