{"id":18458,"date":"2022-03-09T03:10:08","date_gmt":"2022-03-09T11:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/09\/news-12191\/"},"modified":"2022-03-09T03:10:08","modified_gmt":"2022-03-09T11:10:08","slug":"news-12191","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/09\/news-12191\/","title":{"rendered":"Azure AutoWarp brings automation headaches"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Wed, 09 Mar 2022 10:19:48 +0000<\/strong><\/p>\n

Azure is Microsoft\u2019s cloud computing service providing a wide range of features for businesses worldwide. It\u2019s particularly popular for its virtual machines and IaaS (infrastructure as a service). One useful Azure feature is Automation<\/a>, which has been around for some years now. Management tasks can be automated across multiple external systems. This is where the latest vulnerability tale begins.<\/p>\n

Researchers at Orca Security have discovered an issue<\/a> with Azure which they\u2019ve called \u201cAutoWarp\u201d. The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. As per the research itself, AutoWarp could mean \u201c…full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer\u201d.<\/p>\n

How could this issue be used in an attack?<\/h2>\n

The flaw enables interaction with servers managing sandboxes belonging to other entities<\/a>. The tokens\u2014used to confirm a user has the correct permissions to access Azure\u2014could be grabbed via automation jobs.<\/p>\n

Here\u2019s a description of what went down<\/a> from the Microsoft Security Response Center:<\/p>\n

\n

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token\u2019s access is defined in Automation Account\u2019s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account\u2019s Managed Identity.<\/em><\/p>\n<\/blockquote>\n

A timeline of token disaster\u2026almost<\/h2>\n

This flaw was reported to Microsoft<\/a> on December 6, 2021 and it was fixed by December 10. The researchers then went hunting for other similar attacks. The good news is, they don\u2019t appear to have found any. Not only that, but it also seems there\u2019s no evidence of this having been exploited out in the wild. <\/p>\n

As the Orca blog points out, you may well have been vulnerable to this problem before Microsoft fixed it if you used the Automation service and the related managed identity function was enabled by default. Even so: no examples of exploitation in the wild. That\u2019s as good an end result as we can possibly hope for, given how many organisations may have been running with default configurations.<\/p>\n

Why Azure is an appealing target for attackers<\/h2>\n

Anything cloud based is always going to be a hot target for people up to no good. Depending on the setup, attackers may be able to impact multiple people and companies all in one go. Exfiltration, ransomware, and blackmail all go well alongside vulnerable cloud services. This is why flaws like the above are taken so seriously.<\/p>\n

Whether we\u2019re talking about OMIGOD exposing virtual machines<\/a>, the Mirai botnet<\/a>, brute forcing<\/a>, or four-year long<\/a> source code leak bugs, the cloud space has been affected by many issues. Organisations place a lot of trust in cloud services, and they expect secure platforms and data that’s kept safe from prying eyes and sticky fingers.<\/p>\n

You can\u2019t guarantee something is 100% foolproof. Even so, the above is a great example of getting an issue resolved in a very short timeframe. We can only hope to see more of this the next time a cloud-based service runs into trouble.<\/p>\n

The post Azure AutoWarp brings automation headaches<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Wed, 09 Mar 2022 10:19:48 +0000<\/strong><\/p>\n

An automation issue with Azure services could lead to compromised managed identity tokens.<\/p>\n

The post Azure AutoWarp brings automation headaches<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[6148,25268,13617,11728,10987,10516,12046],"class_list":["post-18458","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-automation","tag-autowarp","tag-azure","tag-cloud","tag-exploits","tag-microsoft","tag-server"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18458"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18458\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18458"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}