Cybersecurity researchers have made a significant breakthrough by uncovering a fully undetectable cloud-based cryptocurrency mining technique that leverages Microsoft Azure Automation without incurring any costs. The cybersecurity company SafeBreach unveiled three distinct methods for executing this miner, including one that could operate within a victim’s environment without raising any suspicion.
While the primary objective of the study was to identify the “ultimate crypto miner” with unlimited access to computational resources, minimal maintenance, cost-free operation, and complete stealth, the implications of this discovery extend beyond cryptocurrency mining. Security researcher Ariel Gamrian highlighted that these techniques could be adapted for any task requiring code execution on Azure.
Furthermore, Microsoft’s Azure Automation service played a central role in this revelation, serving as the platform where the undetectable mining techniques were deployed. SafeBreach identified a bug in the Azure pricing calculator that allowed for unlimited job execution within the attacker’s environment, though this issue has since been addressed by Microsoft.
Another method involved creating a test job for mining, marking it as “Failed,” and then initiating a dummy test job, concealing code execution within the Azure environment. Threat actors could exploit these methods by establishing a reverse shell to an external server and authenticating to the Automation endpoint to achieve their objectives. Additionally, the researchers discovered that code execution could be achieved by uploading custom Python packages, demonstrating the versatility of the attack.
To illustrate their findings, SafeBreach introduced a proof-of-concept called CoinMiner, designed to harness free computing power within Azure Automation through the upload mechanism of Python packages. Microsoft’s response to the disclosures characterized the behavior as “by design,” implying that this method can still be exploited without incurring charges. While the research primarily focused on the abuse of Azure Automation for cryptocurrency mining, SafeBreach issued a warning that these techniques could be adapted by threat actors for various tasks that demand code execution within the Azure environment. The cybersecurity firm emphasized the need for organizations to proactively monitor their resources and actions to thwart undetectable resource creation and covert code execution.
Reference:
