#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Microsoft Azure | Breaking Cybersecurity News | The Hacker News

Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors

Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors

Feb 28, 2024 Cyber Espionage / Malware
An Iran-nexus threat actor known as  UNC1549  has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E. Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis. UNC1549 is said to overlap with  Smoke Sandstorm  (previously Bohrium) and  Crimson Sandstorm  (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc. "This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024," the company  said . "While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide." The attacks entail the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engin
Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation

Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation

Nov 08, 2023 Cloud Security / Cryptocurrency
Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft  Azure Automation  service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victim's environment without attracting any attention. "While this research is significant because of its potential impact on cryptocurrency mining, we also believe it has serious implications for other areas, as the techniques could be used to achieve any task that requires code execution on Azure," security researcher Ariel Gamrian  said  in a report shared with The Hacker News. The study mainly set out to identify an "ultimate crypto miner" that offers unlimited access to computational resources, while simultaneously requiring little-to-no maintenance, is cost-free, and undetectable. That's where Azure Automation comes in.
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
Researchers Detail 8 Vulnerabilities in Azure HDInsight Analytics Service

Researchers Detail 8 Vulnerabilities in Azure HDInsight Analytics Service

Sep 13, 2023 Vulnerability / Data Security
More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in the  Microsoft Azure HDInsight  open-source analytics service that could be weaponized by a threat actor to carry out malicious activities. "The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. The issues were addressed by Microsoft as part of its  Patch Tuesday updates  for August 2023. The disclosure comes three months after similar shortcomings were reported in the  Azure Bastion and Azure Container Registry  that could have been exploited for unauthorized data access and modifications. The list of flaws is as follows - CVE-2023-35393  (CVSS score: 4.5) - Azure Apache Hive Spoofing Vulnerability CV
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege

Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege

Aug 28, 2023 Vulnerability / Active Directory
Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL. "An attacker could leverage this abandoned URL to redirect authorization codes to themselves, exchanging the ill-gotten authorization codes for access tokens," Secureworks Counter Threat Unit (CTU)  said  in a technical report published last week. "The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges." Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an  open-source tool  that other organizations can use to scan for abandoned reply URLs. Reply URL , also called redirect URI, refers to the location where the authorization server sends the user once the app has been successfully authorized and grant
TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud

TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud

Jul 14, 2023 Cyber Threat / Cloud Security
A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS). The findings come from  SentinelOne  and  Permiso , which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools." They also overlap with an ongoing TeamTNT campaign  disclosed  by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking  SCARLETEEL  attacks to the threat actor, citing infrastructure commonalities. "TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted. The attacks, which single out public-facing Docker instanc
Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover

Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover

Jun 21, 2023 Authentication / Vulnerability
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization ( OAuth ) process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it  nOAuth . "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope,  said . The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account. To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website. "If the app merges u
Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Jun 14, 2023 Cloud Security / Vulnerability
Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. XSS attacks  take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site. The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects. This meant that the shortcoming could be abused to embed endpoints within remote servers usin
Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service

Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service

May 04, 2023 API Management / Vulnerability
Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic. "By abusing the SSRF vulnerabilities, attackers could send requests from the service's CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service and bypass web application firewalls," security researcher Liv Matan said in a report shared with The Hacker News. "With the file upload path traversal, attackers could upload malicious files to Azure's hosted internal workload." Azure API Management is a  multicloud management platform  that allows organizations to securely expose their APIs to external and internal customers and enable a wide
Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

Apr 11, 2023 Cloud Security / Data Security
A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. "It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new  report  shared with The Hacker News. The exploitation path that underpins this attack is a mechanism called  Shared Key authorization , which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. "Storage account access keys provide full access to the configuration of a storage accoun
Researchers Detail Severe "Super FabriXss" Vulnerability in Microsoft Azure SFX

Researchers Detail Severe "Super FabriXss" Vulnerability in Microsoft Azure SFX

Mar 30, 2023 Cloud Security / Vulnerability
Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer ( SFX ) that could lead to unauthenticated remote code execution. Tracked as  CVE-2023-23383  (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the  FabriXss flaw  (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication," security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. XSS refers to a kind of  client-side code injection  attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences. While both FabriXss and Super FabriXss
New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks

New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks

Jan 19, 2023 Cloud Security / Data Security
A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application. "The vulnerability is achieved through  CSRF  (cross-site request forgery) on the ubiquitous SCM service Kudu," Ermetic researcher Liv Matan  said  in a report shared with The Hacker News. "By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application." The Israeli cloud infrastructure security firm, which dubbed the shortcoming  EmojiDeploy , said it could further enable the theft of sensitive data and lateral movement to other Azure services. Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000. The Windows maker  describes  Kudu as the "engine behind a number of feat
Microsoft Azure Services Flaws Could've Exposed Cloud Resources to Unauthorized Access

Microsoft Azure Services Flaws Could've Exposed Cloud Resources to Unauthorized Access

Jan 17, 2023 Cloud Security / Bug Report
Four different Microsoft Azure services have been found vulnerable to server-side request forgery ( SSRF ) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues, which were discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft. "The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files - providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target," Orca researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. Two of the vulnerabilities affecting Azure Functions and Azure Digital Twins could be abused without requiring any authentication, enabling a threat actor to seize control of a server without eve
New 'FabricScape' Bug in Microsoft Azure Service Fabric Impacts Linux Workloads

New 'FabricScape' Bug in Microsoft Azure Service Fabric Impacts Linux Workloads

Jun 29, 2022
Cybersecurity researchers from Palo Alto Networks Unit 42  disclosed  details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster. The issue, which has been dubbed  FabricScape  ( CVE-2022-30137 ), could only be weaponized on containers that are configured to have  runtime access . It has been  remediated  as of June 14, 2022, in  Service Fabric 9.0 Cumulative Update 1.0 . Azure Service Fabric  is Microsoft's platform-as-a-service ( PaaS ) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines. "The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft  said  as part of the coordinated disclosure process. "Though the bug exists on both Operating Syste
Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure

Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure

Jun 14, 2022
Microsoft has incorporated additional improvements to address the recently disclosed  SynLapse  security vulnerability in order to meet comprehensive  tenant isolation   requirements  in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information. "This means that if an attacker could execute code on the  integration runtime , it is never shared between two different tenants, so no sensitive data is in danger," Orca Security said in a technical report detailing the flaw. In a statement shared with The Hacker News regarding the protections deployed, Microsoft said it fully mitigated different attack paths to the vulnerability across all integration runtime types. The tech giant stated that it "contained and closely monitored the backend certificate for adver
Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware

Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware

Jan 12, 2022
Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as  Nanocore ,  Netwire , and  AsyncRAT  to siphon sensitive information from compromised systems. The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with The Hacker News. Using existing legitimate infrastructure to facilitate intrusions is increasingly becoming part of an attacker's playbook as it obviates the need to host their own servers, not to mention be used as a cloaking mechanism to evade detection by security solutions. In recent months, collaboration and communication tools like  Discord, Slack, and Telegram  have found a place in many an infection chain to  commandeer and exfiltrate data  from the victim machines. Viewed in that light, the abuse of
New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught

New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught

Sep 30, 2021
Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks. "This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory ( Azure AD ) without generating sign-in events in the targeted organization's tenant," researchers from Secureworks Counter Threat Unit (CTU)  said  in a report published on Wednesday. Azure Active Directory is Microsoft's enterprise cloud-based identity and access management (IAM) solution designed for single sign-on (SSO) and multi-factor authentication. It's also a core component of Microsoft 365 (formerly Office 365), with capabilities to provide authentication to other applications via OAuth. The weakness resides in the  Seamless Single Sign-On  feature that allows employees to automatically sign in when using their corporate devices that
Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers

Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers

Aug 27, 2021
Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization. The flaw, which grants read, write, and delete privileges, has been dubbed " ChaosDB ," with Wiz researchers noting that "the vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies." Cosmos DB is Microsoft's proprietary  NoSQL database  that's advertised as "a fully managed service" that "takes database administration off your hands with automatic management, updates and patching." The Wiz Research Team reported the issue to Microsoft on August 12, after which the Windows maker took steps to mitigate the issue within 48 hours of r
Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw

Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw

Jul 05, 2021
Microsoft is urging Azure users to  update  the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core. The issue, tracked as  CVE-2021-26701  (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn't impacted by the flaw. Built on the .NET Common Language Runtime (CLR),  PowerShell  is a cross-platform task automation utility that consists of a command-line shell, a scripting language, and a configuration management framework. "A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed," the company  noted in an advisory  published earlier this April, adding that the problem resides in the " System.Text.Encodings.Web " package, which provides types for encoding and escaping strings for use in JavaScript, HTML, and URLs. System.Text.
New Docker Container Escape Bug Affects Microsoft Azure Functions

New Docker Container Escape Bug Affects Microsoft Azure Functions

Jan 27, 2021
Cybersecurity researcher Paul Litvak today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. The findings come as part of Intezer Lab 's investigations into the Azure compute infrastructure. Following disclosure to Microsoft, the Windows maker is said to have "determined that the vulnerability has no security impact on Function users, since the host itself is still protected by another defense boundary against the elevated position we reached in the container host." Azure Functions , analogous to Amazon AWS Lambda, is a serverless solution that allows users to run event-triggered code without having to provision or manage infrastructure explicitly while simultaneously making it possible to scale and allocate compute and resources based on demand. By incorporating Docker into the mix, it makes it possible for developers to easily deploy and
Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers

Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers

Dec 25, 2020
New evidence amidst the ongoing probe into the  espionage campaign  targeting SolarWinds has uncovered an unsuccessful attempt to compromise cybersecurity firm Crowdstrike and access the company's email. The hacking endeavor was reported to the company by Microsoft's Threat Intelligence Center on December 15, which identified a third-party reseller's Microsoft Azure account to be making "abnormal calls" to Microsoft cloud APIs during a 17-hour period several months ago. The undisclosed affected reseller's Azure account handles Microsoft Office licensing for its Azure customers, including CrowdStrike. Although there was an attempt by unidentified threat actors to read the emails, it was ultimately foiled as the firm does not use Microsoft's Office 365 email service, CrowdStrike  said . The incident comes in the wake of the  supply chain attack  of SolarWinds revealed earlier this month, resulting in the deployment of a covert backdoor (aka "Sunbu
Cybersecurity Resources