Azure resources with public IP address are vulnerable to different types of attacks such as the port scan attacks. Here is a scenario of an attack that targetted some of my Azure Virtual Machines, the mistakes and how Azure Bastion can prevent such an occurrence.
I created two virtual machines as part of my lab study for the AZ-104 exam using some deployment templates given in the lab guide. The first mistake done here is failing to edit the deployment template leaving me using same password given in the lab to deploy my resources and secondly, I used public IP address for the VMs.
Some few hours after setting up the lab environment, I began getting a series of alerts to my email
This promoted me to quickly triage the incident using my Sentinel instance as my tenant SIEM with Microsoft Defender for Endpoint and Microsoft Defender for Cloud as my XDR solutions
The alerts indicated that a bad actor had gained access to my VMs via RDP, escalated their role and performed some brute force attacks using my resources (which is a gross violation according to Microsoft safety usage policy)
This being a huge violation, Microsoft Deployment Acceptable Use Policy Violation team reached out within minutes of the incident demanding the policy violation to be resolved else I will lose my Azure subscription
I was lucky enough to detect the breach ontime with help of alerts from my configured SIEM and XDR solutions- Microsoft Sentinel, Microsoft Defender for Cloud and Microsoft Defender for Endpoint and took remediation steps to prevent further damage
How could this be prevented?
The first mistake that I did was to use a weak common password which was easily cracked. We should avoid using the commonly used passwords and setup strong passwords to protect your identity or resources in this case
Whether in a test environment or a production environment, when creating your virtual machines, it is a good practice to connect via Azure Bastion as virtual machine access does not require a public IP address. With Azure Bastion, you eliminate the possibility of some anonymous person accessing your publicly available resource by having the virtual machine access done through the azure portal in a browser session. This provides an additional security as access to the Virtual Machine through azure portal can also be restricted with Just In Time acess, conditional access policies and Multi Factor Authentication. Figure below shows the architecture for Azure Bastion. Source; Microsoft Learn
Lastly the SIEM + XDR( Microsoft Sentinel and Microsoft Defender) played a big role in quickly alerting me about the incident, therefore, it is a good practice to have a SIEM + XDR solution in place to increase the security of your workloads