Bio


Nitesh Surana is a Senior Threat Researcher with Trend Micro where he specializes in cloud vulnerability & security research. He has been in the top 100 MSRC Most Valuable Security Researchers in 2023 for his submissions to Microsoft via the Zero Day Initiative. He has presented across conferences such as Black Hat USA, HackInTheBox, HackInParis, Nullcon, c0c0n, Security BSides, NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, Nitesh is found attending concerts and writing/playing music.

Socials: Trend Micro, LinkedIn, Twitter, Mastodon, YouTube

Upcoming Talks

Black Hat Asia (18th-19th April, 2024, Singapore) - Breaking Managed Identity Barriers In Azure Services

Identity management and authentication mechanisms together with authorization policies play a crucial role in systems security, especially when it comes to complex interdependent systems such as cloud services. One such service in Azure is Managed Identities. Managed Identities provide a universal interface for helping users to avoid storing credentials in code. Additionally, Managed Identities is used with various other Azure services. Hence, such services require special attention when it comes to service hardening while maintaining the same level of security. This also creates a need for stronger identity management to ensure secure access.

In this session, we present our findings from two Azure services, highlighting how we successfully bypassed the security mechanisms of Managed Identities. Attendees will gain insights into two novel approaches for maintaining persistence in Azure Functions and Azure Machine Learning service. Our investigation uncovered security gaps and design oversights within these services. These flaws allow attackers to impersonate assigned managed identities and allows for stealthy persistence in scenarios following a compromise. We managed to extract Managed Identity Entra ID token off the Azure resources to which these identities were allocated, undermining the fundamental principle of managed identities. Furthermore, the generated logs couldn't be used to differentiate between malicious and legitimate requests, rendering the stealthy persistence in Azure Machine Learning service undetectable.

Portfolio

Vulnerability Research

  • ZDI-24-208 (9.8) Microsoft Azure MCR VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability
  • ZDI-23-1588 (8.8) Microsoft Azure US Accelarators Synapse SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
  • ZDI-23-1528 (10.0) Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
  • ZDI-23-1527 (10.0) Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
  • ZDI-23-1056 (4.4) (0Day) Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability
  • ZDI-23-1044 (9.9) (0Day) Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability
  • ZDI-23-880 (5.5) Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability
  • ZDI-23-380 (6.5) Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability
  • ZDI-23-161 (6.5) Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability
  • ZDI-23-097 (6.8) Microsoft Azure Machine Learning Service JWT Cleartext Storage of Credentials Information Disclosure Vulnerability
  • ZDI-23-096 (6.5) Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability
  • ZDI-23-095 (6.5) Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability

Blogs on Attack Simulation, Honeypots, Threat Hunting

Other Mentions

Talks

Misc


This page is heavily inspired from James Kettle