Three flaws were discovered in Microsoft's method Based on Azure The data integration service leverages an open source workflow orchestration platform that could have allowed an attacker to achieve administrative control over companies' Azure cloud infrastructures, exposing organizations to data exfiltration, malware deployment, and unauthorized data access.
Researchers at Palo Alto Networks' Unit 42 made the discovery Weaknesses – Two of these were misconfigurations and the third involved weak authentication – in Azure Data Factory's Apache Airflow integration. Data Factory enables users to manage data pipelines when moving information between different sources, while Apache Airflow makes it easy to schedule and coordinate complex workflows.
While Microsoft has classified the flaws as low-severity vulnerabilities, Unit 42 researchers found that successfully exploiting them could allow an attacker to gain persistent access as a shadow administrator to the entire Airflow Azure Kubernetes (AKS) service cluster. They revealed In a blog post published on December 17.
Specifically, the defects discovered in Data Factory were: Misconfiguration Kubernetes Role-based access control (RBAC) in the airflow group; Misconfigured confidential processing for the internal Azure service in Geneva, which is responsible for managing critical logs and metrics; Weak ratification of Geneva.
Unauthorized access to the Azure cloud has already been mitigated
The Airflow instance's use of immutable default configurations combined with the association of the cluster admin role to the Airflow operator “caused a security issue” that could be addressed “for controlling the Airflow cluster and related infrastructure,” the researchers explained.
If an attacker could compromise the cluster, they could also tamper with Geneva, allowing the attackers to “manipulate log data or access other sensitive Azure resources,” wrote Ofir Palaciano, the 42nd's director of security research and senior security researcher David Orlowski. this post.
Overall, the drawbacks highlight the importance of managing service permissions and monitoring the operations of important third-party services within a cloud environment to prevent unauthorized access to the cluster.
Unit 42 reported the flaws to Microsoft Azure, which were eventually resolved by the Microsoft Security Response Center. The researchers did not specify what fixes were made to mitigate the vulnerabilities, and Microsoft did not immediately respond to a request for comment.
How cyber attackers gain initial administrative access
The initial exploitation scenario is that the attacker was able to gain unauthorized write permissions to a directed acyclic graph (DAG) file used by Apache Airflow. DAG files define the workflow structure as Python code; It specifies the sequence in which tasks must be executed, the dependencies between tasks, and scheduling rules.
Attackers have two ways to access and manipulate DAG files. They can obtain write permissions to the storage account containing the DAG files by leveraging the master account that has write permissions; Or they can use a Shared Access Signing (SAS) token, which grants temporary, limited access to the DAG file.
In this scenario, once a DAG file is tampered with, it “lays dormant until the DAG files are imported by the victim,” the researchers explained.
The second method is to access the Git repository using leaked credentials or a misconfigured repository. Once this happens, an attacker can create a malicious DAG file or modify an existing file, and the directory containing the malicious DAG file is automatically imported.
In their attack flow, Unit 42's researchers used Git repository credentials leaked Scenario for accessing the DAG file. “In this case, once the attacker tampers with the compromised DAG file, Airflow executes it, and the attacker obtains a reverse shell,” they explained in the post.
So, the basic exploit workflow involves the attacker first crafting a DAG file that opens a reverse shell to a remote server and runs automatically when imported. The malicious DAG file is then uploaded to a private GitHub repository connected to the Airflow cluster.
“Airflow automatically imports and runs a DAG file from the connected Git repository, and opens a reverse shell on the Airflow worker,” the researchers explained. “At this point, we have cluster admin privileges due to the Kubernetes service account being attached to the Airflow agent.”
The attack can then escalate from there to take control of a group; Use shadow administrator access to create shadow workloads for encryption or running other malware; filtering data from the enterprise cloud; They are exploiting Geneva to reach other endpoints in Azure for further malicious activity, the researchers wrote.
Cloud security should extend beyond the cluster
Cloud-based attacks Attackers often start pouncing Local misconfigurationsThe exploit flow once again highlights how the entire cloud environment is vulnerable to risks due to exploited flaws within a single node or cluster.
The scenario demonstrates the importance of moving beyond simply securing the perimeter of a cloud cluster to a more comprehensive approach to cloud security that takes into account what happens if attackers break those boundaries, according to Unit 42.
This strategy should include “securing permissions and configurations within the environment itself, and using policy and auditing engines to help detect and prevent future incidents within the cluster and in the cloud,” the researchers wrote.
They added that companies must also protect sensitive data assets that interact with different services in the cloud to understand what data is processed using the data service. This will ensure that service dependencies are taken into account when securing the cloud.
