Hello, @IT Support !
What should I do if my VM security has been compromised or hacked?
There are many ways to safeguard your Azure account as well as your VMs and other Azure resources however if a VM has been compromised, you'll need to review both your Azure account and your VM security.
Most of this boils down to making it harder for bad actors to access privileged accounts (2FA, Azure authentication, strong usernames and passwords) and limiting the number of options to access accounts and resources (remove public access, add conditional access checks, limit time/window of availability). In addition, you'll need to go through logs to understand what has been done by the attacker.
This is a good time to review security service offerings like Microsoft Defender for Cloud to help improve your security.
Azure account security
First, you'll need to review your Azure account security and ensure that it has not been compromised:
- Enable MFA if it is not already enabled. This is the single most effective step in preventing compromised accounts.
- Review all users/service principals in your subscription. Remove as many unnecessary users/service principals as possible and update the credentials for those that remain using strong passwords and multi-factor authentication . Depending on the attack, you may need to reset your password . Reviewing sign-in logs may help identify suspicious activity and you should also check Risky users in the portal . Read Recovering from systemic identity compromise for complete instructions.
- Confirm all of your contact information is still correct and up to date. This will be critical not only for alerts but also for account recovery if needed.
- Completely disable and delete compromised resources if possible (if not, skip this step). If malware was left on your resources that you use credentials on such as a VM, you may be setting yourself up for compromising your accounts again. Reviewing activity logs and billing activity may help in identifying suspicious resources.
- Conditional access policies are evaluated and enforced every time an attacker attempts to sign-in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. In some cases, the attacker’s sign-ins were assessed as high risk . Conditional access can be used to block or require MFA for sign-ins that Azure AD Identity Protection detects are risky in real time.
- If your Microsoft account was compromised, here are instructions for recovering a hacked or compromised Microsoft account , dealing with locked accounts , and resetting your account password . If you still need help, you can complete the Microsoft account recovery form which will get a response within 24 hours. If all else fails, you can try reaching out over phone support or creating a ticket through a different account.
- Creating an emergency access account is important to prevent you from being accidentally locked out.
- Continuous Access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.
Virtual machine security
After you've confirmed that your Azure account is secure, you'll need to review your virtual machine security:
- Control access to the VM: A best practice is to ensure that your VM is not publicly accessible and enable access to management ports only when needed.
- Use Azure Bastion: Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network for which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
- Use Azure Entra ID to sign into your VM: Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform to Remote Desktop Protocol (RDP) into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later.
- Protect against malware: Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems.
- Keep your VM updated: Vulnerabilities of the operating system are particularly worrisome when they are also combined with a port and service that is more likely to be published.
- Utilize the Azure Security Center : Use Azure Security Center Standard tier to ensure you are actively monitoring for threats. Security Center uses machine learning to analyze signals across Microsoft systems and services to alert you to threats to your environment. One such example is remote desktop protocol (RDP) brute-force attacks.
Additional account security resources:
- Microsoft azure account hacked
- I cannot remove a subscription from my own account, that was recently been hacked
- Account is hacked and permission to subscription has been blocked
- Recovering from systemic identity compromise
- Essential steps to confirm, contain, and secure a compromise
- Get help with your Microsoft account
- Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
- How it works: Microsoft Entra multifactor authentication
Additional VM security resources:
- Best practices for defending Azure Virtual Machines
- Secure score in Defender for Cloud
- Azure Virtual Machine Security
- Azure Virtual Machines security overview
- Azure security baseline for Virtual Machines - Windows Virtual Machines
- Security best practices for IaaS workloads in Azure
I hope this has been helpful! Your feedback is important so please take a moment to accept answers.
If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!