<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Kubernetes - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-kubernetes/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-kubernetes/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unusual Source IP for Azure Arc Cluster Credential Access</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-arc-credential-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-arc-credential-access/</guid><description>Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity, potentially indicating compromised credentials.</description><content:encoded><![CDATA[<p>This detection identifies anomalous access patterns to Azure Arc-connected Kubernetes clusters. Specifically, it monitors the <code>listClusterUserCredential</code> operation, which provides credentials for the Arc Cluster Connect proxy, enabling <code>kubectl</code> access through the Azure ARM API. An attacker leveraging stolen credentials, such as those belonging to a service principal, may attempt to list cluster credentials from an unfamiliar IP address. The detection leverages a 7-day history to establish baseline IP-to-identity mappings, reducing false positives from legitimate sources like CI/CD pipelines with rotating IPs. This activity is particularly relevant because successful credential access can lead to unauthorized cluster access and potential data exfiltration or resource compromise. The IBM X-Force has identified potential abuse of Azure Arc for hybrid escalation and persistence. The detection logic originates from Elastic's detection rules.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker compromises a service principal or user account with privileges to manage Azure Arc-connected Kubernetes clusters.</li>
<li>Attacker authenticates to Azure using the compromised credentials.</li>
<li>Attacker invokes the <code>MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION</code> operation via the Azure API from a new or unusual source IP address.</li>
<li>The operation returns credentials for the Arc Cluster Connect proxy.</li>
<li>Attacker uses the retrieved credentials to establish a proxy tunnel via <code>az connectedk8s proxy</code>.</li>
<li>Attacker routes <code>kubectl</code> commands through the Azure ARM API, accessing the Kubernetes cluster without direct network connectivity.</li>
<li>Attacker performs reconnaissance within the Kubernetes cluster, identifying valuable resources like secrets and configmaps.</li>
<li>Attacker exfiltrates sensitive data or compromises the cluster's integrity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to Kubernetes clusters connected to Azure Arc. Compromised credentials can enable attackers to perform arbitrary actions within the cluster, potentially leading to data theft, service disruption, or the deployment of malicious workloads. The severity depends on the privileges associated with the compromised identity and the sensitivity of the data stored within the cluster. Lateral movement from compromised cloud resources to on-premise Kubernetes clusters is possible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Arc Cluster Credential Access from Unusual Source&quot; to your SIEM and tune the history window for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the caller identity (<code>azure.activitylogs.identity.claims.appid</code>), source IP (<code>source.ip</code>), and associated Azure Sign-In Logs.</li>
<li>If a compromise is suspected, revoke the service principal credentials and remove Arc RBAC role assignments as detailed in the investigation guide.</li>
<li>Monitor Azure Activity Logs for <code>MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION</code> events, filtering for unexpected source IPs.</li>
<li>Review Kubernetes audit logs for suspicious activity following the <code>listClusterUserCredential</code> operation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>azure-arc</category><category>credential-access</category></item></channel></rss>