Of course not, you don’t have any rules on your Azure NSG’s which allow access to your services or data without control. Or do you?

There has been so much in the news around TravelEx of late, its hard to avoid it. Even thought the details are still not known, speculation surrounds the exploitation method. The most common so far are

1. Vulnerability in the VPN Gateway
2. RDP Service left fully open to the Internet
3. Phishing campaign which initiated the compromise

Sticking with RDP being open to the Internet, its pretty easy in Azure to secure services – NSG’s or WAF’s or even an ASG and you are sorted.

These rules are now spanning over many different resources, possibly in separate resource groups, locations or subscriptions. How are these tracked and audited? Who is making sure a mistake has not taken place and an unexpected hole has been left.

Perhaps the follow code may help.

$azSubs = Get-AzSubcription

foreach ( $azSub in $azSubs ) {
  Set-AzContext -subscription $azSub
  $azNSGs = Get-AzNetworkSecurityGroup

  foreach ( $azNSG in $azNSGs ) {
    Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNSG | Select-Object @{N="Subscription";E={$azSub.Name}}, @{N="Resource Group";E={$azNSG.ResourceGroupName}}, @{N="NSG Name";E={$azNSG.Name}}, @{N="Rule Name";E={$_.Name}}, @{N="Source Port";E={$_.SourcePortRange -join ';'}}, @{N="Destination Port";E={$_.DestinationPortRange -join ';'}}, Access, Priority, Protocol, Direction, @{N="Source Address";E={$_.SourceAddressPrefix -join ';'}}, @{N="Destination Address";E={$_.DestinationAddressPrefix -join ';'}} | Export-CSV -append -notypeinformation -path "c:\temp\nsg-rules.csv"
  }
}

Make sure that the file “c:\temp\nsg-rules.csv” does not exist before running this. Connect to your Azure Subscription using “Connect-AzConnect” and clearly have the new AZ Powershell module installed, and this should list every single NSG rule that exists in all subscriptions you have access to.

Happy hunting.

---

• https://www.telegraph.co.uk/technology/2020/01/03/banks-knocked-travelex-software-virus-online-currency-services/
• https://www.infosecurity-magazine.com/news/travelex-site-down-new-years-eve/
• https://news.sky.com/story/police-investigating-ransomware-attack-on-currency-exchange-travelex-11903064
• https://www.wsj.com/articles/travelex-ransomware-outage-hits-foreign-currency-transactions-at-retail-banks-11578593249
• https://www.bbc.com/news/business-51097470
• https://www.techradar.com/uk/news/travelex-services-are-still-down-after-cyberattack
• https://www.cyberscoop.com/travelex-restoring-some-online-services/