azure attacks virtual-machines Opening a Network Security Group to the Internet

Opening a Network Security Group to the Internet

PLATFORM

SERVICE

virtual-machines

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

medium

About

An attacker can modify Network Security Group rules to allow for new traffic. This typically allows them to maintain access to your infrastructure.

Understanding Impact

Business Impact

Compute resources in Azure are protected by Network Security Groups (NSGs). When an attacker allows traffic on an NSG, it exposes the affected resource publicly and allows the attacker to remain in your environment.

Technical Impact

Network Security Groups are used to control traffic to and from Azure resources. When an attacker modifies an NSG, they can allow traffic to a resource that was previously blocked. This allows them to gain or maintain access to your environment.

Detection

You can identify when a Network Security Group ingress rule is created or modified, using the Azure Activity log event Microsoft.Network/networkSecurityGroups/securityRules/write.

Sample event, shortened for readability:

{
  "id": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound/events/<...>",
  "operationName": {
    "value": "Microsoft.Network/networkSecurityGroups/securityRules/write",
    "localizedValue": "Create or Update Security Rule"
  },
  "resourceGroupName": "<resource-group>",
  "resourceProviderName": {
    "value": "Microsoft.Network",
    "localizedValue": "Microsoft.Network"
  },
  "resourceType": {
    "value": "Microsoft.Network/networkSecurityGroups/securityRules",
    "localizedValue": "Microsoft.Network/networkSecurityGroups/securityRules"
  },
  "resourceId": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound",
  "properties": {
    "eventCategory": "Administrative",
    "entity": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound",
    "message": "Microsoft.Network/networkSecurityGroups/securityRules/write",
  }
}

When the rule is created for the first time, the event does not include information about the port or source IP range that has been opened. When the rule already existed, properties.responseBody contains the JSON of the modified NSG rule:

{
  "name": "AllowAnySSHInbound",
  "id": "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound",
  "type": "Microsoft.Network/networkSecurityGroups/securityRules",
  "properties": {
    "provisioningState": "Updating",
    "protocol": "TCP",
    "sourcePortRange": "1024-54335",
    "destinationPortRange": "22",
    "sourceAddressPrefix": "<source-ip>",
    "destinationAddressPrefix": "*",
    "access": "Allow",
    "priority": 100,
    "direction": "Inbound",
    "sourcePortRanges": [],
    "destinationPortRanges": [],
    "sourceAddressPrefixes": [],
    "destinationAddressPrefixes": []
  }
}

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:

References

AZT506 - Network Security Group Modification

microsoft.github.io

Network Security Groups

azure documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 12 positions

view all