Azure network security group modified to allow public access
Description
AlphaSOC detected a modification to an Azure Network Security Group (NSG)
security rule that allows inbound traffic from public sources. This is
identified through the
Microsoft.Network/networkSecurityGroups/securityRules/write action where the
rule permits inbound access from public address ranges including * (any
source), Internet (Azure service tag), 0.0.0.0/0 (all IPv4 addresses), or
::/0 (all IPv6 addresses). NSG security rules serve as virtual firewalls that
control network traffic to and from Azure resources based on source and
destination IP addresses, ports, and protocols. Organizations use these rules to
enforce network segmentation and restrict access to only authorized networks or
IP ranges.
However, threat actors who have gained initial access to an Azure environment may modify NSG rules to allow inbound traffic from the public Internet, enabling them to establish remote access channels, exfiltrate data, or allow external command-and-control communications. By opening security rules to public sources, attackers effectively bypass network perimeter controls and create pathways for unauthorized access to internal resources.
Impact
Allowing public inbound access through NSG rules exposes Azure resources to unauthorized connections from any IP address on the Internet. Attackers can leverage these open rules to establish remote access to virtual machines, databases, or other Azure services that should be protected behind network controls. This exposure enables threat actors to bypass authentication mechanisms on poorly secured services, exploit unpatched vulnerabilities, establish persistence through reverse shells or remote desktop connections, and exfiltrate sensitive data to external systems. The weakened network perimeter also facilitates lateral movement within the Azure environment, as attackers can more easily access resources that were previously isolated by network segmentation. Organizations face increased risk of data breaches, unauthorized resource manipulation, and potential compliance violations when critical resources become accessible from the public Internet.
Severity
| Severity | Condition |
|---|---|
Medium | Azure network security group modified to allow public access |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Network/networkSecurityGroups/securityRules/write event and examine
the request body to determine the specific security rule configuration that was
modified. Identify which NSG was affected and what Azure resources (virtual
machines, subnets, network interfaces) are protected by this security group.
Verify the principal (user, service principal, or managed identity) that
performed the modification and check the source IP address and user agent to
confirm whether the activity originated from authorized infrastructure or
personnel. Examine the security rule properties to identify which ports,
protocols, and destination resources are now exposed to public traffic.
If the modification was unauthorized, immediately revert the NSG rule to deny public access or restrict the source address prefixes to only authorized IP ranges or virtual networks. Review the time period when the rule allowed public access to identify any connection attempts from external IP addresses by examining NSG flow logs, Azure Monitor logs, and resource-specific access logs. Assess whether any successful connections were established and investigate those sessions for signs of unauthorized access or data exfiltration. Disable or rotate credentials for the compromised principal and review Azure RBAC assignments to remove excessive permissions on network resources. Implement Azure Policy to prevent NSG rules from allowing public inbound access to critical resources, and configure alerts for future modifications to NSG security rules.
Known False Positives
- Authorized administrators configuring legitimate public-facing services such as web servers, load balancers, or API gateways
- DevOps teams deploying applications that require Internet-accessible endpoints for customer access
- Infrastructure as Code deployments that include NSG rules for public-facing resources