Hackers Waging 'Living Off the Land' Attacks on AzureMicrosoft Shares Threat Detection and Mitigation Strategies
Microsoft is warning users of its Azure cloud platform that hackers are using several "living off the land" attack techniques to evade security measures, escalate privileges and deploy cryptominers. The software giant released a threat detection and mitigation strategy for the platform.
Hackers are using Azure "LoLBins," which refers to weaponizing preinstalled Windows or Linux binary tools designed for legitimate purposes within the Azure platform.
"Attackers are increasingly employing stealthier methods to avoid detection. Evidence for a variety of campaigns has been witnessed," Microsoft notes. "The usage of LoLBins is frequently seen, mostly combined with fileless attacks, where attacker payloads surreptitiously persist within the memory of compromised processes and perform a wide range of malicious activities. Together with the use of legitimate LoLBins, attackers’ activities are more likely to remain undetected."
The alert comes as thousands of companies worldwide have been hacked as a result of exploits of unpatched vulnerabilities in Microsoft Exchange servers (see: List of Hacked Exchange Servers May Boost Recovery Efforts).
Microsoft says hackers are leveraging three Azure tools:
- Custom script extension: This feature is used to download and execute scripts on Azure Virtual Machines. This script is downloadable from Azure Storage, and Microsoft notes it has detected cases in which hackers are accessing the public GitHub repository to insert cryptominers into the script.
- VMAccess extension: This application is used for creating new administrator accounts, resetting the passwords in existing and built-in administrator accounts and resetting Remote Desktop Service configuration. Attackers are using the application to gain initial access to the Azure platform with elevated privileges and to evade detection.
- Anti-malware extension: This free real-time protection extension helps Azure to identify and remove viruses, spyware and other malicious software. Attackers are using this feature to disable the real-time protection before loading susceptible tools or to exclude infected files from being detected while malicious activities are underway.
Detection and Mitigation
Microsoft has introduced a new application for detecting anomalies in its Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients, the alert notes.
The company suggests that users should only permit limited access to Azure applications. "Least privilege principle is a fundamental concept in cloud environments," Microsoft says. "A least privilege model for the cloud relies on the ability to continuously adjust access controls. We recommend monitoring all access events and establish a decision-making framework that distinguishes between legitimate and excessive permissions."
Detecting LoLBin attack scenarios as described by Microsoft is not an easy task, says Dirk Schrader, global vice president of security research at security firm New Net Technologies.
Defenders should "rely on intense integrity monitoring," he says. "Monitor and detect changes not only to logs, but detect newly added files and accounts. And if you haven’t initiated that process yourself, be on alert. Make sure that your virtual machines are hardened and securely configured and that rights are granted with caution.”
Schrader notes that "'living off the land' attacks are treacherous as their disguise is the toolset already installed. ... Most detection mechanisms fail as they don’t see these kind of processes or applications as malicious, which allows the attacker to operate in stealth mode.”
Other Azure Risks
In the wake of the SolarWinds supply chain attack, the U.S. National Security Agency warned that threat actors can use compromised system administration accounts in the Microsoft Azure platform to assign credentials to cloud application services (see: NSA Warns of Hacking Tactics That Target Cloud Resources).
In September 2020, Microsoft removed 18 apps from the Azure cloud computing platform that a hacking group was using as part of its command-and-control infrastructure to help launch phishing attacks (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).