Cybersecurity researchers have achieved a remarkable feat in the realm of cybersecurity, introducing the world to the first fully undetectable cloud-based cryptocurrency miner, operating seamlessly within the Microsoft Azure Automation service without incurring any costs.
The cybersecurity experts at SafeBreach have unveiled this groundbreaking discovery and revealed three distinct methods by which this miner can be executed. Most notably, one of these methods can be deployed discreetly within a victim’s environment, escaping any suspicion.
In the words of security researcher Ariel Gamrian, “While this research holds immense significance for the world of cryptocurrency mining, it also carries profound implications for other domains. The techniques unveiled here have the potential to be harnessed for any task requiring code execution on Azure.”
The primary goal of this study was to uncover the “ultimate crypto miner,” one that could tap into unlimited computational resources, demand minimal maintenance, incur no costs, and remain entirely undetectable.
Enter Azure Automation, a cloud-based automation service crafted by Microsoft, designed to empower users in automating the creation, deployment, monitoring, and upkeep of resources within Azure.
SafeBreach’s investigation unearthed a flaw in the Azure pricing calculator, enabling the execution of an infinite number of tasks without incurring any charges, albeit confined to the attacker’s environment. Microsoft has since addressed and rectified this issue.
Another ingenious method involves the creation of a test job for mining, marking it as “Failed,” and then generating another dummy test job, capitalizing on the limitation that only one test can run concurrently. The result? Complete concealment of code execution within the Azure environment.
A malicious actor could leverage these methods to establish a reverse shell towards an external server and authenticate with the Automation endpoint to accomplish their objectives.
Furthermore, the researchers discovered that code execution could be achieved by exploiting Azure Automation’s feature, allowing users to upload custom Python packages. As Gamrian explained, “We could create a malicious package named ‘pip’ and upload it to the Automation Account. The upload flow would replace the current pip in the Automation account, and the service would use it for every subsequent package upload.”
SafeBreach has even provided a proof-of-concept called CoinMiner, aimed at harnessing free computing power within Azure Automation by exploiting the Python package upload mechanism.
In response to these revelations, Microsoft has characterised this behaviour as “by design,” implying that this method remains exploitable without incurring charges.
Although the research primarily centres around the misuse of Azure Automation for cryptocurrency mining, the cybersecurity firm has warned that threat actors could repurpose these techniques to accomplish any task requiring code execution on Azure.
Gamrian concluded, “As customers of cloud providers, organisations must vigilantly monitor every resource and action within their environment. We strongly advise organisations to educate themselves about the methods and flows malicious actors might employ to create undetectable resources and proactively monitor for code execution indicative of such behaviour.”