Cloud security company Orca has recently revealed an exploitation path involving Azure shared key authorization that could allow full access to accounts and business data, leading to remote code execution (RCE). This is due to the weak security of Azure shared key authorization compared to Azure Active Directory (Azure AD) credentials. By default, Azure generates two 512-bit storage account access keys for any newly created account, and these keys are virtually a root password.
Orca’s attack scenario revealed that access key authentication can be used to perform more actions than defined by the permissions Azure accounts are given to ensure their access to the data they require. This means that a user with only read access on a Storage account may also have the ability to modify and delete data, as well as move laterally within the environment and execute code remotely.
The main issue here is the potential access an attacker could gain by compromising an Azure Storage account or by obtaining their access keys. Furthermore, an attacker could access data and perform malicious actions without being detected. Although shared key authorization cannot be removed from Azure, organizations can take preventive steps by applying the principle of least-privilege and completely disabling shared key authorization. Microsoft has also published a blog post detailing best practices, as well as the steps that the company is taking to move away from shared key authorization.
In conclusion, Orca’s investigation into Azure shared key authorization exploitation reveals the potential risks associated with this feature. As such, organizations should take preventative steps, such as applying the principle of least-privilege and completely disabling shared key authorization, in order to mitigate these risks.
• Shared key authorization provides inferior security compared to Azure Active Directory (Azure AD) credentials.
• A compromised Storage account can be used to exfiltrate a higher-privileged identity and then abuse it to move laterally and to deploy and execute a reverse shell in virtual machines.
• An attacker could gain full access to storage accounts and potentially critical business assets.
• Organizations should apply the principle of least-privilege and completely disable shared key authorization in order to mitigate the risks associated with this exploitation scenario.