Undetectable cryptomining technique found lurking on Microsoft Azure Automation

It was all part of a test in a controlled environment

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Someone found a loophole in Azure that allowed them to create free money and never get busted, but instead of using it - they reported it toMicrosoftand had it fixed.

That someone is a team of researchers from the SafeBreach cybersecurity company, who, as an experiment, set out to see if they could build the perfect crypto miner: one that uses other people’s resources (for examplecloud computingpower, internet, electricity), needs virtually no management, doesn’t cost a dime, and is basically impossible to detect.

They found the way using Azure Automation, Microsoft’s service through which Azure users can automate creating, deploying, monitoring, and maintaining their Azure resources.

Malicious code execution

The researchers found multiple ways to run the miner. The first one required their own environment, and while that should have charged them extra, a bug in the pricing calculator resulted in the miner running for a month for a whopping $0. SafeBreach reported this to Microsoft, who later fixed the problem. No more free money there.

But then the researchers took it a step further, to see if a miner would possibly work in other people’s environments, and how.

They created a test-job for mining and set its status as “failed” (even though it didn’t). As only one test can run at the same time, setting the status as “failed” allowed them to create another test-job, effectively hiding code execution within the Azure environment.

Also, they discovered they could run code by using an Automation feature that allows users to upload custom Python packages. “We could create a malicious package named ‘pip’ and upload it to the Automation Account,” the researchers toldThe Hacker News. “The upload flow would replace the current pip in the Automation account. After our custom pip was saved in the Automation account, the service used it every time a package was uploaded.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As a demonstration of their findings, SafeBreach created a proof-of-concept called CloudMiner, which abuses Azure Automation via the Python upload mechanism to gain free computing power. Microsoft apparently said this was a feature and not a bug, with the researchers adding that customers should “proactively monitor every single resource and every single action being performed within their environment”.

While the test was to discover if a “perfect” crypto miner exists, the researchers seem to be more worried that someone might abuse Azure Automation for more nefarious purposes, the publication hints. After all, this enables code execution on Azure.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Google Gemini is set to finally reach its full potential – and take over from Google Assistant – thanks to a major upgrade