Azure Misconfiguration Lets Attackers Take Over Cloud Infrastructure
A recent security analysis has revealed how a chain of misconfigurations in Microsoft Azure can allow attackers to gain complete control over an organization’s cloud infrastructure, from initial access to full tenant takeover.
The attack path, demonstrated using real-world tools and PowerShell scripts, highlights the urgent need for organizations to harden their Azure deployments and monitor for suspicious activity , as per a report by ITM8.
How the Attack Unfolds
The attack begins with an unauthenticated adversary performing reconnaissance. Using open-source tools like MicroBurst, attackers enumerate Azure subdomains and search for publicly exposed storage accounts.
In this case, a storage account named adsikkerhed was found with a container allowing public access to a CSV file containing Azure Active Directory (AAD) user credentials:
Invoke-WebRequest "https://adsikkerhed.blob.core.windows.net/files/test.csv" -OutFile .outputtest.csvGet-Content .outputtest.csvWith valid credentials in hand, the attacker checks for Multi-Factor Authentication (MFA) or Conditional Access policies that might block access. If none are present, the attacker uses the PowerShell Az module to authenticate:
$Credentials = Get-CredentialConnect-AzAccount -Credential $CredentialsPrivilege Escalation and Lateral Movement
Once inside, the attacker enumerates Azure AD groups, searching for those with dynamic membership rules and privileged roles.
For example, a group named “AutomationAdmins” is configured to automatically include any user with “automationadmin” in their display name and is assigned the “Automation Contributor” role:
New-AzureADMSGroup -DisplayName “AutomationAdmins” -Description “This dynamic group will add any AAD user with ‘automationadmin’ in Display Name” -MailEnabled $False -MailNickName “AutomationAdmins” -SecurityEnabled $True -GroupTypes “DynamicMembership” -MembershipRule ‘(user.displayName -contains “automationadmin”)’ -MembershipRuleProcessingState “On”
The attacker creates a guest user that matches the membership rule, accepts the invitation, and gains the Automation Contributor role.
With this, they can dump runbooks from Automation Accounts, often finding hardcoded credentials for service principals with further privileges.
Abusing Managed Identities and Key Vaults
With access to a service principal assigned the “Virtual Machine Contributor” role, the attacker can interact with Azure VMs. They use the following script to extract managed identity tokens from a VM:
(Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"} -UseBasicParsing).ContentThese tokens allow the attacker to impersonate the VM’s managed identity, granting access to secrets stored in Azure Key Vaults.
The attacker then discovers that the compromised user is the owner of an application whose service principal has “Storage Account Contributor” rights at the management group level.
By adding a new secret to this service principal, the attacker authenticates as it and gains access to sensitive storage, including cloud shell profile images used by privileged administrators.
By poisoning a cloud shell image and tricking a privileged user into loading it, the attacker executes a payload that grants themselves “Global Administrator” rights in Azure AD.
They then elevate to “User Access Administrator” on the Tenant Root Management Group, achieving total ownership of the Azure environment.
The attack chain can be detected and prevented by:
- Disabling public access to storage accounts and enforcing secure transfer (TLS 1.2)
- Enabling Azure AD audit logs, sign-in logs, and Defender for Resource Manager
- Avoiding dynamic group membership for privileged roles
- Restricting guest user invitations
- Storing secrets securely and using managed identities for automation
This attack path underscores the importance of secure configuration, least privilege, and vigilant monitoring in cloud environments.
Organizations must regularly review their Azure setups, apply best practices, and respond quickly to suspicious activity to prevent such full-scale compromises.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
