Suspicious group creation on Microsoft azure by terraform application

Damini Mistry 0 Reputation points
2023-01-20T19:56:13.5466667+00:00

Hi,

I was using Azure free subscription for one of the POC purpose for terraform deployments on Azure portal. I was inactive for 1 day and haven't added any resource using portal or terraforms.

I can see more than 30 suspicious resource groups created on my portal which ended with spending all my free credit limits.

I haven't enable log analytics for any of my services and made sure to delete all the resources post the POC. I can see in Activity log the "Event initiated by Terraform", Which is the application I registered.

I am unable to understand how did this happen.

Please help me understand this issue. Looking forward to get response from you. Thank you in advance.

Regards,

Damini Mistry

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,473 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,270 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Santhi Swaroop Naik Bukke 595 Reputation points
    2023-01-20T19:58:01.9233333+00:00

    It sounds like your Azure account may have been compromised. It's important to take immediate action to secure your account and prevent further unauthorized resource creation.

    First, you should change your Azure account password as soon as possible. This will prevent the attacker from continuing to access your account.

    Next, you should review the suspicious resource groups and determine if they are legitimate or not. If they are not legitimate, you should delete them immediately to prevent further charges.

    You should also enable Azure's Multi-Factor Authentication (MFA) for your account, which provides an additional layer of security by requiring a second form of authentication (such as a phone call, text message, or mobile app notification) when signing in to your account.

    It's also recommend to use Azure Policy to enforce rules on resources that can be created within your subscription, this will help you to prevent similar issues.

    Finally, you should also monitor your Azure account for any unusual activity in the future, and take action immediately if you notice any suspicious behavior.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.