Undetectable cryptomining technique found lurking on Microsoft Azure Automation


Someone found a loophole in Azure that allowed them to create free money and never get busted, but instead of using it - they reported it to Microsoft and had it fixed.

That someone is a team of researchers from the SafeBreach cybersecurity company, who, as an experiment, set out to see if they could build the perfect crypto miner: one that uses other people’s resources (for example cloud computing power, internet, electricity), needs virtually no management, doesn’t cost a dime, and is basically impossible to detect.

They found the way using Azure Automation, Microsoft’s service through which Azure users can automate creating, deploying, monitoring, and maintaining their Azure resources.

Malicious code execution

The researchers found multiple ways to run the miner. The first one required their own environment, and while that should have charged them extra, a bug in the pricing calculator resulted in the miner running for a month for a whopping $0. SafeBreach reported this to Microsoft, who later fixed the problem. No more free money there.

But then the researchers took it a step further, to see if a miner would possibly work in other people’s environments, and how.

They created a test-job for mining and set its status as “failed” (even though it didn’t). As only one test can run at the same time, setting the status as “failed” allowed them to create another test-job, effectively hiding code execution within the Azure environment.

Also, they discovered they could run code by using an Automation feature that allows users to upload custom Python packages. "We could create a malicious package named 'pip' and upload it to the Automation Account," the researchers told The Hacker News. "The upload flow would replace the current pip in the Automation account. After our custom pip was saved in the Automation account, the service used it every time a package was uploaded."

As a demonstration of their findings, SafeBreach created a proof-of-concept called CloudMiner, which abuses Azure Automation via the Python upload mechanism to gain free computing power. Microsoft apparently said this was a feature and not a bug, with the researchers adding that customers should “proactively monitor every single resource and every single action being performed within their environment”.

While the test was to discover if a “perfect” crypto miner exists, the researchers seem to be more worried that someone might abuse Azure Automation for more nefarious purposes, the publication hints. After all, this enables code execution on Azure.

More from TechRadar Pro