The document outlines seven key cyberattack methods targeting Microsoft Azure, highlighting the importance of understanding these threats for decision makers and IT professionals. It details various attack strategies such as privilege escalation, ransomware, and phishing, along with their countermeasures. The author emphasizes the necessity of strong security practices, including the use of Azure policies and a zero trust approach to mitigate risks in cloud environments.

1. 7 Dangerous Ways To
Cyberattack Azure
By Abdul khan

2. Author
• Abdul Khan
• IT Consultant based in Manchester, UK
• Engineering Lead, Executive, Technologist, Architect
• IT experience, within the private and public sectors (Retail, Banking, Digital, Insurance, M.O.D., HMRC, Aviation, Telecommunication,
Housing Associations, Education, Travel, and Pharmaceutical companies). Excellent architectural and strong DevOps experience with
proven-track record of delivering E2E, B2B and B2C solution on regional and global programs.
• SME in specializing in providing integration, data migration, digital transformations to the cloud solutions (Azure and AWS)
• Wealth of experience in global projects across EMEA, ASPAC and LATAM
• Liked in profile https://www.linkedin.com/in/abdul-khan-uk/

3. Accreditations
Thank you to my brother, good friends and colleagues for reviewing, adding value, sharing their vast experience
and knowledge.
• Samad Khan (IT Manager), specialising in enterprise solution in finance and wealth Management
• Steve Lampton (IT Consultant, Cloud SME) specialising in NetOps, DevOps and SecOps

4. Audience
Main Audience
• The top cyberthreats may find a wider group of potential stakeholders who are interested in
understanding the threat landscape in general or deepen their understanding to cover particular
threats.
• This document for decision makers, security architects, risk managers, auditors and end-users
who wish to be informed about the where-about of various cyberthreats may find this material
useful.
Assumptions
• Reader has some knowledge of cloud platforms technologies.

5. Content
1.0 Think Like A Hacker
1.1 Introduction
1.2 Hacker Perspective
1.3 The Top Most Dangerous Cyberattacks
1.4 Account Storage – Architecture
1.5 Account Storage – Storage Stamp
3.0 Final Thoughts
3.1 Considerations & Best Practices
2.0 Cyberattacks and Countermeasures
2.1 Attack01 – Access using account keys
2.2 Attack02 – Ransomware attack and encryption
2.3 Attack03 – Attack VMs and Disks
2.4 Attack04 – Storage Tampering attack
2.5 Attack05 – A Phishing attack
2.6 Attack06 – Attack to Blob and resource using anonymous access
2.7 Attack07 – Attacks To The Public and Private IP Addresses in Azure

6. 1.0 Think Like
A Hacker…

7. “everything and anything is hackable and vulnerable in some ways”

8. 1.1 Introduction
• Microsoft Azure offers many types of tool and technology to manage and handle threats and
security. This can be from the classical firewall, encryption, network security group, MOMS,
Security Centre, Audit Logging, GDPR and much more.
• To identify the most important risks and threats and how to manage them we need to choose the
right platform that provides the best features and tools.
• In Cloud, any resources can be linked with security or related to hacking and should be assessed
for vulnerabilities. Therefore, few basic questions that should always be asked :-
• Is the functionality secure or vulnerable?
• If yes, how can it be exploited and how much damage could it cause?

9. 1.2 Hacker Perspective (1/2)
• From a hacker perspective, a DNS provides very important data, this includes :
• The Account name is extremely important because it is used by Azure to locate the
primary storage cluster and the datacentre where the storage is located, all the
requests for this account are directed to this location, an application can use a
different account for different locations.
• The Partition name identifies the storage node of the cluster and it is used to scale-
out access to the data, the ObjectName is the specific object in the partition, the
transactions are atomic and managed across the different objects inside the same
PartitionName.

10. 1.2 Hacker Perspective (2/2)
• The Account Storage architecture has been organized to provide the maximum
capacity and scaling, the let see the most important components and how it works.
• The Storage Stamp is a cluster of N racks of storage nodes, and each rack is a
separate fault domain, the challenge is to maintain the storage provisioned in
production as highly utilized as possible if a rack reach lower then 70% the account is
migrated in another rack
• The Location Service manages the account namespace across all stamps and all the
storage stamps, it is also responsible for disaster recovery and load balancing, the LS
updates the DNS and allow the requests from the name
https://AccountName.service.core.windows.net to that storage stamp’s virtual IP
(VIP, an IP address the storage stamp exposes for external traffic).

11. 1.3 The Top Most Dangerous Cyberattacks (1/2)
• There are three most essential areas in Microsoft Azure, RBAC, Storage and
Networking, everything in Azure depends on these three main pillars, and
considering these areas. The 3 topmost dangerous cyberattacks, below the TOP
Parade:
• Privilege escalation to Azure PIM and the Global Admin Account;
• Ransomware Attack;
• Attack to the public and private IP addresses;
• All these attacks are extremely dangerous and effective. However, the privilege
escalation is the most dangerous because it can escalate a top-level, which
means no more control in the entire cloud and company.
• Internal attacks are much more dangerous and effective than the externals, and
companies often underestimate that. Cloud is more secure than on-premise, we
can rely on a much more solid infrastructure but we know cloud has weaknesses.

12. 1.3 The Top Most Dangerous Cyberattacks (2/2)
• RBAC is used to provide access to the storage account to a specific user. Hacker use this
approach to obtain access storage accounts. This is a classic method used to manage
the storage account by people through the Azure Portal.
• There are 3 major areas of Azure, also these are the weak points, most critical and
vulnerable areas for hackers to exploit, they are:-
• Authentication and Authorization (Azure AD and RBAC),
• Microsoft Azure Storage
• Networks(Azure Infrastructure).

13. 1.4 Account Storage - Architecture
Access Blobs, Tables
and Queues for
Accounts
Location Service
DNS
Front-Ends
Stream Layers
Stream Layers
Intra-Stamp
Replication
Storage Stamp
VIP
Front-Ends
Stream Layers
Stream Layers
Intra-Stamp
Replication
Storage Stamp
VIP
Account Management
Inter-Stamp
Replication
https://AccountName.service.core.windows.net

14. 1.5 Account Storage - Storage Stamps
• The three layers in the Storage Stamps:
• Stream Layer is like a distributed file system layer within the stamps, it understands
files, called streams, and it manages how to store, replicate them and more but it
doesn’t have any clue about the data or the semantics.
• The Partition Layers manages and understands the high data abstraction layer (Blob,
Table, Queues, and Files), caching objects, and storing objects on top of the
streaming.
• The Front-End layer manages the authentication and authorizations for the account
though SAS token or Access Key, and it governs the relations between account and
partitions.

15. 2.0 Cyberattacks and
Countermeasures

16. 2.1 Attack01 – Access Using Account Keys
Attack
• Developers use account keys everywhere, they send by email, they write in the code and often they take
notes in files and there are different techniques to use.
• Google Dorks are used by a hacker to collect any type of information on the internet, it is a very powerful
technique, especially if used is a smart way
• The query will search in all Google database for any file indexed of type config, containing the world
accountkey in the web sites githup.com and sourceforge.net
• The githup is not a typo, google may filter some query types, using this technique you can evade them.
Countermeasures
• Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user)
• Set less permission privilege to the Key Vault, monitor any access and notify by email any change
• Store any sensitive information in Key Vaults and force developers on using this practice.
• Execute automation source code scanning with Azure DevOps

17. 2.2 Attack02 – Ransomware Attack And Encryption
Attack
• Azure encrypts any data in the storage account, key requirement for certifications ISO 27001, ISO 9001,
GDPR and others. But Is there a real risk of a ransomware attack in the cloud?, Answer is Yes. So what can a
hacker do? Answer, there is real potentially the entire storage account, all virtual machines, and disks can be
encrypt.
• A hacker could achieve a privilege escalation attack to the cloud or find the account keys and access to the
storage account. If this is achieved, then a hacker has different choices, One quick and very dangerous attack
is on the encryption keys, an attacker is able to encrypt the entire storage account. Azure uses two
mechanisms to encrypt the data:
• one using the internal encryption key;
• and the second is using an arbitrary key created by the customer.
• Attack simulation to the encryption keys, Hacker only required a basic knowledge of Storage Account and
Key Vault, a hacker can :-
• To execute a privilege escalation attack to Azure, (contributor access to the resource group re required)
• The attacker now will delete the key from the key vault, enter the key vault and delete the key.

18. 2.2 Attack02 – Ransomware Attack And Encryption
Countermeasures
• The best option is using policies and blocks any unauthorized usage, especially creation.
• Create Azure policy to block any unauthorize key vault creation (use a dedicated AD
group/user)
• Set less permission privilege to the Key Vault, monitor any access and notify by email any
change
• Use Multi-Factor Authentication in any sensitive location of the company.

19. 2.3 Attack03 – Attack VMs and Disks
Attack
• Another option is encrypting the content of the storage account, for example, all disks,
this is a procedure that we can achieve using Powershell and remotely
Countermeasures
• Create Azure policy to block any unauthorize encrypting operation (use a dedicated AD
group/user)
• Set less permission privilege to the resources
• Use Multi-Factor Authentication in any sensitive location of the company.

20. 2.4 Attack04 – Storage Tampering attack
Attack
• This is an extremely effective and dangerous attack, the hacker found the storage
account keys and will execute a scan in the account, below an example to list Blobs using
Azure CLI :
• The attacker has now a clear idea about the content and they may will inject in the
storage account-specific malicious content. The hacker could upload malicious scripts,
PDF files tampered and more.
• Developers and IT administrators use the queues to execute specific infrastructure tasks
and execution following a specific FIFO order, the hacker could inject messages in the
queue and execute arbitrary code and script.
• This Azure storage tampering is usually used in conjunction with the phishing attack.

21. 2.4 Attack04 – Storage Tampering attack
Countermeasures
• The prevention is the best countermeasure, we must prevent access to the resource.
• Create Azure policy to block any unauthorized usage (use a dedicated AD group/user)
• Set less permission privilege to the storage account and to the specific resource, monitor
any access and notify by email any change
• Refer to Attack01 regarding the protection of the keys
• Use Multi-Factor Authentication in any sensitive location of the company.

22. 2.5 Attack05 – A Phishing attack
Attack
• This is a very used attack because able to be combined in many different combinations, the concept is very
simple.
• trusted web site, the attacker can send email using this URL without being intercepted or blocked, and it
looks a legitimate URL. The hacker can simulate an internal communication and an employee could click on
the URL and open a malicious file hosted in the blob.
• This is a very simple example, in the future we will examine some nasty phishing attacks using a blob storage
account.
Countermeasures
• Robust email security solutions are actually the best option, also filtering any email containing the
windows.net domain.
• Educate employees about recognizing different types of phishing attacks and avoid clicking any link.
• Use multi security layers, scanning email, antivirus and use the red team to test malicious attack.
• Educate everybody in the companies, also the very top management.
• Use Multi-Factor Authentication in any sensitive location of the company.

23. 2.6 Attack06 – Attack To Blob And Resource Using
Anonymous Access
Attack
• We can set the reading access type of the container and blob as anonymous. We may need to use this
setting because we want to provide public access to our content, hackers use this setting for phishing
attacks.
• Black hats daily scan the public internet and they check the contents of these blobs by: -
• Option 1 – Using Shodan - Login with a free account to Shodan.io and use the search string
• Option 2 – Using scripting - This is the most productive and effective way to collect anonymous blob
storages, we can use any script type technique, the concept is quite simple.
• During an HTTP GET to request the anonymous blob storage responds in a different way from a private one,
this is the discriminant
• A program or script to created any possible combination of the account name and check for any possible
public blob on the internet. The procedure is a simple representation of what criminal companies do using
very high calculation power.
• The program used by these companies is specifically designed to check the content and they use Artificial
intelligence to quickly understand if the content can be something useful or not.

24. 2.6 Attack06 – Attack To Blob And Resource Using
Anonymous Access
Countermeasures
• Don’t publish any sensitive information in public storage.
Important Note
• The usage of public blobs can be a good honey trap, criminals will be focused on that specific area
of attack, you may also put false and misleading information.
• The honey trap is an interesting strategy and it can be extremely effective if well planned, we can
also make the criminal think what we want and discourage them from continuing any more
investigation to the company.

25. 2.7 Attack07 – Attacks To The Public and Private IP
Addresses In Azure
Attack
• A public IP is attacked by a hacker after the first five minutes of life on the internet, this is a standard procedure, these
people are criminal organizations looking for information to use against the company and employee. You can find public IP
exposed in Azure very easily. The entire Azure infrastructure can be scanned for ay public IP’s, open RDP ports with one
command : . By this hacker can download the entire Azure IP range by scanning the service,
these are all public information.
• Never underestimate the internal threats, if a hacker penetrates a VM, he will also have access to the internal network, at
least in the subnet, and if the VM is in the domain then the escalation of the damage is not measurable, it depends by the
Azure experience of the hacker.
Countermeasures
• Option 1 – The basic solution is avoid using public IP’s and if you really need then lock it and masquerade.
• Option 2 – Control the creation of new Public IP
• Option 3 – Use Azure Bastion
• Option 4 – Use VPN
• VPN is the best option and we avoid exposure to the internet however we still need to handle the private IPs because we
can face an internal attack.

26. 3.0 Final Thoughts

27. 3.1 Considerations & Best Practices
• Centralize the security control and access using a good subscription structure and firewalling appliance.
• Create a Base subscription, install ExpressRoute and firewalling and propagate the connectivity to the other
subscriptions, this will give you a lot of control.
• Use a proper segmentation of the network and organize your IP Schemas and VNet by Regions.
• Create Azure policies and force your network rules
• Use Zero trust approach and limit any access
• This presentation has highlights some of the most important and dangerous attacks to the Storage Account,
prevention is always the best practice and in order to achieve that we need to use Azure Policies.
• Azure Policies are the first line of defense, the first opportunity to stop the attack. This is what we need to
achieve, we need to stop the attack from the beginning and not in the during.
• the most dangerous attack always starts from the internal, we need to make our home secure from any risk.
• Don’t trust anybody, even yourself, if you are not sure about something, better ask and discuss it in the team.

28. - END OF DECK
By Abdul Khan – https://www.linkedin.com/in/abdul-khan-uk/