Nate Warfield, Microsoft Ben Ridgway, Microsoft MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.

1. All Your Cloud Are
Belong to Us
Hunting Compromise in Azure
Nate Warfield & Ben Ridgway – Microsoft

2. Who we are: Nate Warfield
▪ Senior Security Program Manger - MSRC
– Windows: Hyper-V, Kernel, Server, Networking,Crypto,WSL
– Azure: Networking, Compute
▪ Background
– 18 years in Network Engineering
– Hacking the planet since ‘94
▪ Hobbies
– Internet of InsecurableThings
– Radio hacking (SDR, BT/BLE, LoRaWAN, RFID/NFC)
– Physical (in)security
– Snowboarding, skydiving, things that go boom

3. Who we are: Ben Ridgway
▪ Senior Security Program Manger – MSRC
– Azure Security Incident Response
– “Putting out fires in the cloud” since before that statement made sense
▪ Background
– Previously traveling SOC builder/pentester for US Gov
– Hired by Microsoft to work on their very first cloud offerings
▪ Hobbies
– Breaking things
– Hitting things
– Riding over the top of things

4. Agenda
▪ Framing the Problem
– It is easier than ever to shoot yourself in the foot
▪ Scratching the Underbelly
– Wanna Petya?
▪ Hunting for Badness
– It takes a thief…..
▪ An Exercise in Self Preservation
– What is a cloud to do?
▪ Questions

5. Framing the Problem
How did we get here?

6. A brief history of Network Security
Technology
• 1988 – DEC Packet Filter Firewall
• 1989 – AT&T Bell Labs Stateful Firewall
• 1991 – DEC SEAL Application Layer Firewall
• 1994 – Check Point Firewall
• Today – Hundreds; software FW included in most Operating Systems
Design
• Network segmentation
• Demilitarized Zone (DMZ)
• Access Control Lists (ACL)

7. Network Security Best Practices
• Limit inbound access from the Internet
• Default deny
• ACLs on all network devices
• Authentication. Everywhere.
• Install security updates
• Isolate public-facing servers in DMZ
• Strict isolation between Corporate, Developer &Test networks
• All changes to Firewall/ACL done by security team
• …and many more

9. How Cloud Changes This Model
• EveryVirtual Machine is exposed to the Internet
• At a minimum, SSH or RDP exposed by default
• Required for administration
• Anyone with subscription access can deploy systems
• Anyone with subscription access can expose BadThings™
• Patch management decentralized
• VM’s deploy with predefined firewall configuration
• One insecureVM image == thousands of insecure deployments
• This is not unique to Azure;AWS & others see similar problems

10. 2017: All Your Cloud Are Belong to Us

11. Scratching the Underbelly
When the past is always with you, it may as well be present; and if it is present, it will be
future as well.
―WilliamGibson, Neuromancer

12. NoSQL - Exposure & Impact
• NoSQL solutions were not designed to be Internet-facing
• “..it is not a good idea to expose the Redis instance directly to the internet”
• “Allow only trusted clients to access the network interfaces and ports on which
MongoDB instances are available.”
• “Elasticsearch installations are not designed to be publicly accessible over the
Internet.”
• Naturally, people exposed them to the Internet
• August 2016 – Redis
• January 2017 - Present: MongoDB, CouchDB, Hadoop, Elastic, etc.
• Databases replaced with ransom note
• Hundreds of thousands of systems compromised globally
• Azure – 2500+VM’s affected

13. Finding NoSQL Compromise in Azure
• Large attack surface – 1.6million IP addresses
• Each NoSQL solution runs on a different port
• Open port != compromise
• Need to see DB names to determine whether compromised
• Fortunately Shodan.io already indexes this data!
• The Google of port scans
• Can search by organization
• DB names are collected & searchable
• Results downloadable in JSON format for post-processing

14. Why Shodan?
• Fast
• Most things we care about are already indexed
• Extremely accurate
• Accurate to within 0.14% of in-house scanning solution
• More than just a port scan
• Full DB details, SMB versions, Authentication, etc.
• Machine readable output
• Data easily parsed by scripts

15. Wanna Petya?
A(nother) wakeup call for the industry

16. The Untold Backstory of MS17-010
▪ January 2017, AWindows engineer discovers a potential RCE in
SMBv1
▪ March 14 2017: MS17-010 released to the public
▪ April 14 2017: Shadowbrokers release of “somebody’s” favorite toys
– Eternal Blue, Double Pulsar
▪ Noon: MSRC andWindows commence reverse engineering
▪ 10PM: conclusion that security updates fix all Microsoft issues
▪ 11PM: Blog released

18. Mission Accomplished? Not Quite
▪ May 10 2017: Azure CSS notes influx of cases sighting random
reboots
▪ May 12 2017: Sensors start detecting new malware outbreak. Media
starts covering WannaCry
▪ 64 days since the release of MS17-010

19. (Most) Enterprise Patch Management
Strategy
▪ “I can’t install the patch because it causes downtime”
▪ “The SOC will detect any attacks and mitigate them before they
become a problem”
▪ “My Cloud Service Provider takes care of it for me”
▪ “I don’t need the patch because my system isn’t exposed”

20. Fallacy: “My Cloud Service Provider
takes care of patching for me”
▪ Requires understanding of
shared responsibility
▪ We will (if you let us)
Requires
– SaaS
– PaaS (if you let us)
▪ IaaS is completely your
responsibility
▪ People don’t patch
because….

21. Fallacy: “I don’t need the patch because
my system isn’t exposed”
▪ Well intentioned, yet doomed attempt to
use threat models to drive patching
▪ Why doomed?
– Threat models change
– Systems are complicated
– ACLs are never implemented right
▪ Discovery:
– Excellent patch hygiene for production
systems
– Terrible hygiene for “science experiments”
▪ Of course nobody ever connects the two…
All it takes is a trail of breadcrumbs

22. Hunting for Badness
TheShadowBrokers has is having little of each as our auction was an apparent failure. Be
considering this our form of protest.
--ShadowBrokers, April 8th 2017

23. Exposure & Impact
• [REDACTED] weaponized an SMBv1 exploit (EternalBlue)
• [REDACTED] added it to their Metasploit clone
• [REDACTED] lost control of this tool
• Dontcha hate it when that happens?
• Microsoft patched in March 2017 (MS17-010)
• But nobody in their right mind would expose SMB to the Internet..
• #holdmybeer
• #yolo
• #facepalm

24. Finding DoublePulsar in Azure
• “Only” 14k hosts exposingTC P/445
• DoublePulsar implant does not visibly alter the system
• It did however allow operators to test for it’s existence
• Send “trans2 SESSION_SETUP” request to target
• All systems will reply with “Not Implemented”
• Infected systems will add Multiplex ID 81 (0x51)
• Manually scanned all IP’s exposingTCP/445
• Shodan added MS17-010 detection in May 2017
• Low rate of infection (<50)

25. WannaCry: Exposure & Impact
• Attack started May 12 2017
• Targeted systems missing MS17-010 patches
• 230k+ systems / 150 countries affected
• Initial infection via Internet-exposed SMB port*
• Lateral movement via EternalBlue
• Kill-switch domain stopped propagation (thanks @MalwareTech!)
• Comparatively low-tech
• Weapons test?
• Profit?
• Both?
*https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/

27. NotPetya: Exposure & Impact
• Attack started June 27 2017
• Initial infection via backdoored MEDocs software
• Specifically targeted Ukraine
• Lateral movement via psexec,WMIC, mimikatz and MS17-010
• Infection rate of ~500 systems/minute
• Wiper, not ransomware
• $300M damage to Maersk alone
• Comparatively high-tech
• Blast radius increased due toVPN links to Ukraine
• I’m not saying it was a nation state attack….

28. Add a Slide Title - 3

29. Exposure

30. Network Security Group
• Network Security Group == Default firewall config
• Of 2100+ images in Azure Marketplace, 1151 contained NSG
• 890 (77%) of these opened 2 or more ports by default
• 308 (27%) opened 4 or more ports
• 31 images deploy with 10+ ports open
• Worst offender: 83 ports open by default
• Users can modify prior to deployment (assuming they look)

31. Exposed Services - Azure

32. Default Passwords
• VM Descriptions occasionally contain a default password
• Users are advised to change PW after installation
• At least it’s a strong* PW!: P@sswOrd123
• *actual PW changed to protect the innocent
• Users always follow instructions
• Fortunately “only” for services like MySQL, SQL, etc.
• Unknown how many were left unchanged
• Do databases really need to be Internet facing?

33. Self preservation

34. How do we save people who can’t save
themselves?
▪ ‘MemberWannacry?
– 14,480 Exposed CustomerVMs
– 661 Belonged to me
▪ ‘Member NotPetya?
– 16,750 Exposed CustomerVMs
– 16 Belonged to me
▪ Didn’t they get the memo?

35. What do we do about this?
▪ Customer notifications: Where do you draw the line?
– Any issue Microsoft causes
– Any issue which causes harm to the platform (enables ddos)
– Any issue which is subject to rampant exploitation (MS17-010, Elastic, Mongo….)
– Any real issue which is causing a media firestorm (Heartbleed)
▪ Giving customers tools
– Azure Security Center FREE tier provides security recommendations
– Platform as a Service (PaaS) manages updates for you
– Availability zones prevent downtime
– SSH requires client certificates by default
– Default DenyACLs

36. Attribution
• Quick, point fingers!
• Hackers!
• We did it for the lulzCoin, GTFO
• Customer!
• Our security team is responsible
• Customer’s security team!
• Our cloud provider is responsible
• Cloud Provider!
• Don’t deploy insecure configurations/VM’s
• CloudVM image provider!
• InsecureVM’s don’t compromise systems, evil hackers
compromise systems
• Bad PR == Brand damage == Loss of [trust|customers|revenue]

37. Questions?