Help needed - Microsoft Azure Ubuntu VMs have changed ECDSA keys ... Man-in-middle attack or what?

Here's what I get when I try to SSH into either of my two Azure Ubuntu VMs:

kuo@cinderella:~$ ssh isaackuo.cloudapp.net
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:aHrdY1FpW+TlPLIoiDWBzfw9uPm6+p3ci4roNA1EO8A.
Please contact your system administrator.
Add correct host key in /home/kuo/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/kuo/.ssh/known_hosts:85
remove with:
ssh-keygen -f "/home/kuo/.ssh/known_hosts" -R "isaackuo.cloudapp.net"
ECDSA host key for isaackuo.cloudapp.net has changed and you have requested strict checking.
Host key verification failed.

This started happening a few days ago, on both of my Ubuntu VMs (I don't have any other VMs, Ubuntu or otherwise).

Obviously, I'm concerned about a possible man-in-the-middle attack, but I don't know how to assess this possibility or what to do about it.

I am familiar with how to remove entries from known_hosts with ssh-keygen -f, and I have occasionally done so when I have retired and reused a local hostname in my LAN. But this has only been in the very controlled environment of my LAN where I know precisely why the SSH server's key has changed.

In this case, I have taken no actions which would explicitly change the ECDSA host key. Only regular apt-get update+dist-upgrade. Looking it up, I see some people have experienced unexpected change of host key due to a Microsoft Azure update, but I have no idea how to figure out if this has occurred in my case. Whatever happened, it happened to both of my Microsoft Azure Ubuntu VMs at roughly the same time. (I do execute apt-get update+dist-upgrade on both at roughly the same time.)

The functionality of my static web sites on both of them appear unchanged, but I would expect that from a man-in-the-middle attack. However, this does rule out the possibility of some DNS and/or IP address assignment issue simply pointing my domain names to different machines out there.

Any ideas?

Thanks!

#MicrosoftAzure #Azure #Ubuntu #Linux #ssh #security

13