Cybersecurity researchers have developed what is the first completely undetectable cloud-based cryptocurrency miner leveraging Microsoft. Azure Automation service without accumulating any charge.
Cybersecurity company SafeBreach said it discovered three different methods of running the miner, including one that can run in the victim's environment without attracting attention.
"While this research is important because of its potential impact on cryptocurrency mining, we also believe it has serious implications for other areas, as the techniques could be used to accomplish any task that requires running code in Azure," said the security researcher Ariel Gamrian. saying in a report shared with The Hacker News.
The study primarily set out to identify an “ultimate cryptominer” that offers unlimited access to computational resources, while requiring little to no maintenance, being free, and undetectable.
That's where Azure Automation comes into play. Developed by Microsoft, it is a cloud-based automation service that allows users to automate the creation, deployment, monitoring, and maintenance of resources in Azure.
SafeBreach said it found a bug in the Azure pricing calculator which allowed an infinite number of jobs to be executed completely free of charge, although it is related to the attacker's own environment. Microsoft has since released a fix for the issue.
An alternative method involves creating a test job for mining, then setting its status to "Error", and then creating another dummy test job taking advantage of the fact that only one test can run at a time.
The end result of this flow is that it completely hides code execution within the Azure environment.
A threat actor could leverage these methods by establishing a reverse shell to an external server and authenticating to the automation endpoint to achieve their goals.
Additionally, it was discovered that code execution could be achieved by leveraging the Azure Automation feature that allows users to upload custom Python packages.
"We could create a malicious package called 'pip' and upload it to the automation account," Gamrian explained.
"The upload flow would replace the current pip in the Automation account. After saving our custom pip to the Automation account, the service used it every time a package was uploaded."
SafeBreach has also made available a proof of concept called CoinMiner which is designed to get free computing power within the Azure Automation service using the Python package upload mechanism.
Microsoft, in response to the revelations, has characterized the behavior as "by design," meaning the method can still be exploited without being charged.
While the scope of the investigation is limited to the abuse of Azure Automation for cryptocurrency mining, the cybersecurity firm warned that threat actors could reuse the same techniques to accomplish any task that requires code execution in Azure.
"As cloud provider customers, individual organizations must proactively monitor every resource and action taken within their environment," Gamrian said.
"We strongly recommend that organizations educate themselves on the methods and flows that malicious actors can use to create undetectable resources and proactively monitor the execution of code indicative of such behavior."
