Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data

Question

Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data

Bimala Shrestha 135

Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data.

How to resolve the issue

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-07T15:22:03.9233333+00:00

Hello Bimala Shrestha,

As per the description, we understand that your Azure VM infected with severe vulnerabilities has also infected Azure Storage Account.

Also please confirm the specific details of the vulnerability which was infected and also let us know if it was remediated or not?

Let us know if you see the alert even after remediation.
Bimala Shrestha 135 Reputation points

2025-04-08T04:48:42.2466667+00:00

@Venkata Jagadeep Yes, it is affected by storage. So how can we resolve it in high priority?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-08T09:35:50.1233333+00:00

Hello Bimala Shrestha,

Please let us know if you see any recommendations actionable or just showing status that is showing in the portal to help us to diagnose the issue.

Accepted answer

1 additional answer

Your answer

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-07T15:22:03.9233333+00:00

Hello Bimala Shrestha,

As per the description, we understand that your Azure VM infected with severe vulnerabilities has also infected Azure Storage Account.

Also please confirm the specific details of the vulnerability which was infected and also let us know if it was remediated or not?

Let us know if you see the alert even after remediation.
Bimala Shrestha 135 Reputation points

2025-04-08T04:48:42.2466667+00:00

@Venkata Jagadeep Yes, it is affected by storage. So how can we resolve it in high priority?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-08T09:35:50.1233333+00:00

Hello Bimala Shrestha,

Please let us know if you see any recommendations actionable or just showing status that is showing in the portal to help us to diagnose the issue.

Answer 1

Hi Bimala Shrestha,

Below is a list of steps

Isolate the VM - https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts

If you are using MDE consider Immediately isolating the compromised VM from the network to prevent further lateral movement.

Patch Vulnerabilities

Ensure that all high severity vulnerabilities on the VM are patched. This can be done by:

Enable Network Security Groups (NSGs) - https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Configure NSGs to restrict inbound and outbound traffic to the VM. Only allow necessary traffic and block all other traffic.

Implement Just-In-Time (JIT) VM Access - https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks

Use Azure Security Center to enable JIT VM access, which reduces exposure to attacks by allowing you to control the time window during which the VM can be accessed.

Use Azure Defender

Enable Azure Defender for your VMs and storage accounts to provide advanced threat protection and security alerts.

Review and Harden Storage Account Access

Ensure that the storage account is not publicly accessible.
Use Azure RBAC to grant the least privilege necessary.
Enable Azure Storage firewalls and virtual networks to restrict access to the storage account.

Monitor and Audit

Use Azure Monitor and Azure Sentinel to continuously monitor for suspicious activities.
Regularly review audit logs to detect any unauthorized access attempts.

Implement Multi-Factor Authentication (MFA)

Ensure that MFA is enabled for all accounts that have access to the Azure environment.

Answer 2

@Bimala Shrestha Connected offline and discussed the above mentioned isuse.

Alert showing up in Defender for Cloud - Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data.

We reviewed the alert and found few recommendations, need to verify whether this alert is false positive or true positive alert.

On examining this alert, we found few recommendations as mentioned in the portal, As most of the remediations are related to networking, engaged networking engineer on the call to review these remediation tasks, on further analysis we found these alerts could be coming from Azure policy, while reviewing the policy setting you confirmed there are few azure policies created recently, for now you decided to disable the policy setting.

Also, networking engineer suggested to review - https://learn.microsoft.com/en-gb/azure/defender-for-cloud/just-in-time-access-overview?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation&tabs=defender-for-container-arch-aks

Reviewed the NSG settings and suggested to NSGs to restrict inbound and outbound traffic to the VM. Only allow necessary traffic and block all other traffic.

Also, recommended to review this article - Reference table for all networking security recommendations - Microsoft Defender for Cloud | Microsoft Learn for recommendations.

Let me know if you have any further questions, feel free to post back.

Share via

Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data

1 additional answer

Your answer