Undetectable cryptomining technique found lurking on Microsoft Azure Automation
Someone found a loophole in Azure that allowed them to create free money and never get caught, but instead of taking advantage of it, they reported it to Microsoft and had it fixed.
That someone is a team of researchers from the cybersecurity company SafeBreach, who wanted to experiment to see if they could build the perfect cryptominer: one that uses other people’s resources (e.g. cloud computing power, internet, electricity), has virtually no management necessary, doesn’t cost a cent and is in principle impossible to track down.
They found their way using Azure Automation, Microsoft’s service that allows Azure users to automate the creation, deployment, monitoring, and maintenance of their Azure resources.
Malicious code execution
The researchers found multiple ways to run the miner. The first required its own environment, and while that should have charged extra, a bug in the pricing calculator left the miner running for as much as $0 for a month. SafeBreach reported this to Microsoft, who later resolved the problem. No more free money there.
But then the researchers went one step further, to see if a miner could possibly work in the environment of others, and how.
They created a mining test job and set its status to “failed” (even though it wasn’t). Since only one test can run at a time, setting the status to “failed” allowed them to create a new test job, effectively hiding code execution within the Azure environment.
They also discovered that they could run code using an automation feature that allows users to upload custom Python packages. “We could create a malicious package called ‘pip’ and upload it to the Automation Account,” the researchers said The hacker news. “The upload flow would replace the current pip in the Automation account. Once our custom pip was saved in the Automation account, the service used it every time a package was uploaded.”
To demonstrate their findings, SafeBreach has created a proof-of-concept called CloudMiner, which exploits Azure Automation via the Python upload mechanism to gain free computing power. Microsoft apparently said this was a feature and not a bug, with the researchers adding that customers should “proactively monitor every single resource and every single action performed within their environment.”
While the test was intended to discover whether a “perfect” crypto miner exists, researchers appear more concerned that someone could abuse Azure Automation for more nefarious purposes, according to the publication. After all, this enables code execution on Azure.