The Attack Lifecycle

Reconnaissance I

AzureHound, ROADRecon and custom cloud enumeration tools were used to assess objects, ACLs, and SSO-supporting applications within the environment.

Reconnaissance II

SSO-supporting applications were manually reviewed to discover sensitive data leaks, authentication information, or insecure RBAC configurations.

Exploitation I

Confluence and Jira configurations were discovered to be insecure, and the team was able to leverage authentication information disclosed in setup scripts to obtain live build node configurations with API keys to third-party services.

Exploitation II

Sensitive authentication information was discovered in an accidental leak, and used for access to Azure CLI on behalf of a monitoring solution, enabling command execution on production servers.

Conclusion

The cloud penetration test helped the client identify and remediate multiple issues with access control and sensitive information protections, harden their cloud and SaaS infrastructure and calculate potential risks.
In addition, the testing process did not disrupt any of the company’s regular activities, nor the normal function of the production environment.