The cross-account takeover with Azurescape represents a new attack vector that hackers can use to attack cloud services. Palo Alto Networks expects more vulnerabilities to be discovered that allow cross-account takeover and named the Azurescape vulnerability because the breakout method was discovered in Microsoft’s Azure Container-as-a-Service (CaaS) platform.
IT security researcher Yuval Avrahami discovered the vulnerability and reported itwhere it has now been fixed. He received two Bug Bounty Awards from Microsoft for discoveries related to Azurescape.
What companies need to know about Azurescape
Unit 42, the Palo Alto Networks Threat Intelligence team, identified the first known vulnerability that could allow a user of a public cloud service to break out of their environment and execute code in environments shared by other users of the same public cloud service. Belonging to the service. This unprecedented cross-account acquisition affected Microsoft’s Azure Container-as-a-Service (CaaS) platform. The researchers called the discovery “Azurescape” because the attack originated from a container escape – a technique that enables privilege escalation from container environments.
Microsoft acted quickly to address the underlying issues as soon as Unit 42 reported them to the Microsoft Security Response Center (MSRC). Unit 42 is not aware of any Azurescape attacks in the wild. However, it is possible that a malicious user of the Azure Container Instances (ACI) platform has exploited the vulnerability to execute code on other customers’ containers without them having previously had access to their environment.
Azurescape enables an ACI user to obtain administrative rights for an entire container cluster. From there, the user could take over the affected multi-tenant clusters to execute malicious code, steal data, or sabotage other customers’ underlying infrastructure. The attacker could take complete control of Azure servers that host other customers’ containers and access all of the data and secrets stored in those environments.
What Azurescape Reveals About Cloud Security
Public clouds are based on a concept known as multitenancy. Cloud service providers build environments that house multiple enterprise customers (or “tenants”) on a single platform. They provide everyone with secure access while leveraging unprecedented economies of scale by building massive cloud infrastructures.
Although cloud providers invest heavily in securing these multi-tenant platforms, it has long been considered inevitable that unknown “zero day” vulnerabilities exist and could expose customers to attack from other entities within the same cloud infrastructure.
This discovery underscores the need for cloud users to take a “defense-in-depth” approach to securing their cloud infrastructure that includes continuous threat monitoring – inside and outside the cloud platform. Azurescape’s discovery also underscores the need for cloud service providers to provide adequate access to outside researchers to examine their environments in search of unknown threats.
Azurescape Questions and Answers
More details on how Unit 42 discovered Azurescape can be found in the full report on the Unit 42 blog “Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances”. Here are a few quick facts about how Azurescape works and what to do if you’re concerned:
Was I concerned?
Unit 42 is unaware that Azurescape has been exploited in the wild. It is possible that the vulnerability has existed since the introduction of ACI and thus some companies were affected. Azurescape also affected ACI containers on Azure Virtual Networks.
ACI is based on multi-tenant clusters that host customer containers. Originally these were Kubernetes clusters, but last year Microsoft started hosting ACI on Service Fabric clusters as well. Azurescape only affects ACI on Kubernetes. Unit 42 is not aware of any way to check whether a previous ACI container ran on Kubernetes.
If you have an existing container, you can run the following command to see if it’s running on Kubernetes:
az container exec -n
If the output starts with wk-caas and the container was operational before August 31, 2021, it could have been attacked by Azurescape.
What should I do if I think I am affected?
If you have provided privileged credentials on the platform, Unit 42 recommends rotating them and checking the access logs for suspicious activity. A cloud-based security platform like Prisma Cloud can make this type of activity visible and, if necessary, sound an alarm.
How do the attacks work?
Azurescape is a three tier attack. First, the attacker has to break out of his ACI container. Second, it gains administrative privileges on a multi-tenant Kubernetes cluster. Third, it can take control of the affected containers by executing malicious code.
The research began with WhoC, a container image that reveals the underlying container runtime of cloud platforms. Through WhoC, the researchers discovered that it was possible to bypass ACI containers using CVE-2019-5736, a two-year-old vulnerability in runC. The researchers were then able to identify two different methods to achieve code execution on the cluster’s brain, the API server.
With the code execution on the api server, the researchers had complete control over the multi-tenant cluster. They could run code on customer containers, spy on customer secrets posted on ACI, and possibly even abuse the platform’s infrastructure for cryptomining.
Are there any other weaknesses to be expected that will enable cross-account transfer?
The rapid acceleration in the shift to the cloud in recent years has made these platforms a preferred target for malicious actors. While Palo Alto Networks has long been focused on identifying new cloud threats, the discovery of the first cross-account container takeover underscores the importance of these efforts. Sophisticated attackers may not be satisfied with targeting end users, but instead extend their campaigns to the platforms themselves to increase their impact and reach.
Can I prepare for similar vulnerabilities that may arise?
Cloud users should take a defense-in-depth approach to cloud security to ensure that security breaches are contained and detected, whether the threat is external or the platform itself. A combination of shift left security, runtime protection and anomaly detection offers the best chance to combat similar cross-account attacks.