Some cybersecurity researchers have developed the first completely undetectable cloud-based cryptocurrency minertaking advantage of the service of automation Microsoft Azure without accruing any costs.

How the cryptocurrency miner technique that makes it anonymous via the cloud works

Cybersecurity firm SafeBreach said it has discovered three different methods to run cryptocurrency miner via cloudincluding one that can run in a victim’s environment without attracting any attention.

“While this research is significant due to its potential impact on cryptocurrency mining, we also believe it has serious implications for other industriesas the techniques could be used to accomplish any task that requires running code on Azure“, has declared security researcher Ariel Gamrian in a report.

The study primarily aimed to identify an “ultimate cryptocurrency miner” that offered unlimited access to computing resourcesrequired little or no maintenance, was free and above all not detectable.

And this is exactly where Azure Automation comes in; Developed by Microsoft, it is a cloud-based automation service that allows users to automate the creation, deployment, monitoring and maintenance of resources in Azure.

SafeBreach claimed to have discovered a flaw in the Azure pricing calculator which made it possible to perform an infinite number of jobs completely freealthough this concerns the attacker’s own environment (so not the victim); Microsoft later released a fix for the problem.

An alternative method involves creating a test-job for cryptocurrency mining, followed by setting its status as “Failed”, and then creating another dummy test-job taking advantage of the fact that only one test can run at the same time.

The end result of this flow is that completely hides the execution of the code within the Azure environment (in short, almost total anonymity with services that historically have not been so).

A malicious hacker (cracker) could take advantage of these methods by creating a shell back to an external server and authenticating at the automation endpoint to achieve your goals.

Furthermore, it was discovered that code execution could be achieved by leveraging Azure Automation functionality which allows users to load custom Python packages.

“We could create a malicious package called ‘pip’ and upload it to the automation account“, explained Gamrian. “The load flow would replace the current pip in the automation account. After our custom pip has been saved to the automation account, the service used it every time a package was loaded.”

SafeBreach has also made available a proof of concept called CloudMiner on Github, designed to get free computing power within the Azure Automation Service by leveraging the Python package loading mechanism.

Microsoft, in response to the disclosures, classified the behavior as “deliberate,” which means that the method can still be exploited without costs.

While the scope of the research is limited to abusing Azure Automation for mining by turning the service into a cryptocurrency miner, the security firm warned that the same techniques could be reused by other crackers to accomplish any task that requires code execution on Azure.

“As customers of cloud service providers, individual organizations must actively monitor every single resource and every action taken within their environment“Gamrian said.

“We strongly recommend that organizations inform themselves about the methodologies and flows that various malicious actors could use to create untraceable resources and Actively monitor code execution indicative of such behavior.”