Introduction A huge thanks to the Invictus-IR team for proofreading this blog post 🙏 Recently, I posted a tweet regarding an unpatched TeamCity server that an attacker exploited to deploy a CoinMiner. In response to my tweet, the X (former Twitter) user, the cybersecurity doge, shared another story they investigated: An attacker obtained access to an administrator Azure environment user. Once logged on the tenant he created a resource group, and built 3 different batch accounts insides.
