A first has happened in the cloud world — and security researchers have moved quickly to warn the community.
Microsoft on Wednesday issued an advisory that publicly thanked the Unit 42 team at Palo Alto Networks for finding the first known vulnerability that could potentially let an attacker go from one customer’s environment on a public cloud service to another customer’s environment on the same service and launch a cyberattack.
Dubbed Azurescape in a Unit 42 blog today, the Palo Alto researchers said this first-ever cross-account takeover was called Azurescape because the attack started from a container escape, a technique that lets attackers run privilege escalation out of container environments.
According to Unit 42 researchers, Microsoft took swift action to fix the underlying issues as soon as Unit 42 reported them to the Microsoft Security Response Center (MSRC). Unit 42 said that while it is not aware of any Azurescape attacks in the wild, it’s possible that an attacker using the Azure Container Instances (ACI) platform could have exploited the vulnerability to execute code on the containers of other customers without any prior access to their environment.
Security researchers at Unit 42 raised the flag of concern because Azurescape lets ACI users gain administrative privileges over an entire cluster of containers. From there, an attacker could take over any number of clusters to execute malicious code, steal data or sabotage the underlying infrastructure of other customers. Unit 42 said it’s also possible that the attacker could gain complete control over Azure’s servers that host containers of other customers, accessing all data and secrets stored in those environments.
"Palo Alto Networks has collaborated closely with Microsoft since earlier in the year when Unit 42 researcher Yuval Avrahami first uncovered this vulnerability,” said Ariel Zelivansky, a leader of the Unit 42 cloud research team in a statement to SC Media. “We partnered on a coordinated responsible disclosure process, which included publication of blogs by both companies. We're pleased to see that Microsoft awarded Yuval two bug bounties for his work on Azurescape."
Azurescape demonstrates how the move to the cloud has led to the evolution of attack techniques by adversaries — in this instance, leveraging traditional virtualization escaping attacks on a managed cloud environment, said Ofer Maor, CTO at Mitiga. Maor views Azurescape as inherently tied to the way the cloud has been built: While it offers new technology capabilities, it leverages existing technology — containers — and therefore is now vulnerable to similar types of security incidents.
“Since the economic value of assets in the cloud is increasing rapidly, we expect these types of cloud attack techniques to increase significantly,” Maor said.
“In the past, security teams were able to take advantage of compensating controls to respond to incidents,” Maor said. “These controls aren’t available in the cloud, leaving security teams with new challenges in the face of evolving threats. Proactively hunting for threats and putting a plan in place for how to respond to vulnerabilities and related attacks when they inevitably happen can help every security practice.”
Douglas Murray, CEO at Valtix, said the Azurescape discovery demonstrate that the already difficult task of security has proven to be quite different in the cloud. Murray said zero-day vulnerabilities will continue to occur and the shared responsibility model of the public cloud providers often complicates remediation.
“In the end, the lesson learned is that same lesson we’ve known for many years — we need defense-in-depth,” Murray said. “While there are many tools that can help, the network is still common ground — every app touches it. Organizations need to secure ingress, egress and east-west network traffic to/from/between their cloud apps. It’s essential that organizations ensure that every application and cloud service has the necessary security controls to prevent data exfiltration or detect other malicious activity through network threat prevention.”
Josh Angell, managing consultant at nVisium, added that since it’s actually based on a two-year-old vulnerability with a patch, he considers Azurescape a lesson learned in the importance of updating services and libraries to ensure they’re running the latest versions with all of the security patches in those services. Angell said it’s imperative for security teams to ensure they update their services and libraries — which was done quickly once this issue became known.
“It’s a well-known tactic that attackers most often identify older versions of services and libraries to research vulnerabilities within those outdated services, making it easier to gain a foothold into the system,” Angell said. “While the situation may be unprecedented, it’s not unprecedented to gain a foothold into a cluster in this manner given it’s a vulnerability that’s existed for over two years.
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, added that while he views the discovery of this vulnerability as very unfortunate, it’s not entirely unexpected. With the current trend of organizations embracing digital transformation and the rapid migration to the cloud, Everette said these types of vulnerabilities will continue to be discovered and possibly exploited by cybercriminals.
“This zero-day vulnerability is a bit unique because of the way threat actors can jump from one cloud environment to another with administrative access,” Everette said. “It means that cloud customers might have adequate defenses in place, but attackers could bypass them due to the cross-account tactics that could be exploited via this vulnerability.”