Be aware of Just-In-Time Azure VM

I got a question from a friend asking why his virtual machine had Network Security Group to restrict his IP on management port like 22 and 3389 his virtual machine still got attacked with brute-force attack technique.

In this article, let’s see why it could happen when you even restrict your IP address.

The very first time when you get an attack like this you should go to restrict incoming traffic by checking and adding a NSG rule to block widespread access to your virtual machine. Normally when a virtual machine is deployed with public IP address it can be scanned and once it is seen bad actors may go scan it.

Doing a quick check on the NSG rule there was a rule to allow port 22 from whitelist IP address so no Any-Any pattern was seen. I went to Azure Activity log to see if there was a change and saw “Initiate JIT Network Access Policy” activities. This is the operation activity when you request access with Just-In-Time feature. The highlighted below shows you that the source of IP was set to All. It means traffic from every IP address was permitted.

{
    "id": "/subscriptions/123ce409-44dd-22e8-8bf1-4e2c31e27697/resourceGroups/workload-rg/providers/Microsoft.Compute/virtualMachines/wl001-vm",
    "ports": [
        {
            "number": 22,
            "allowedSourceAddressPrefix": "*",
            "endTimeUtc": "2019-12-02T23:01:57.3545473Z"
        }
    ]
}

When a virtual machine is asked for this feature Azure creates a new NSG and put the source of IP is (*) which means every IP range could hit. Even if the virtual machine is currently having NSG to restrict management port for only whitelisted source, the JIT rule is still effective.

There is another JIT in Azure Security Center which would provide better control because it allows to specify an IP range or your IP. Below is the similar log but from JIT in Azure Security Center.

{
    "id": "/subscriptions/123ce409-44dd-22e8-8bf1-4e2c31e27697/resourceGroups/workload-rg/providers/Microsoft.Compute/virtualMachines/wl001-dev-vm",
    "ports": [
        {
            "number": 3389,
            "allowedSourceAddressPrefix": "79.97.99.97",
            "endTimeUtc": "2019-12-05T07:32:42.426408Z"
        }
    ]
}

For details on Just-In-Time feature in Azure, this is a must-read article https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

Leave a Reply