Microsoft Azure

How safe is your sensitive business data on Microsoft Azure?

I was talking recently with Zur Ulianitsky, head of security research at XM Cyber about a recent blog post I had read where Microsoft revealed that more than 140 resellers and technology service providers have been targeted by the Russian nation-state actor Nobelium through the Azure cloud service. This is the same hacking group that masterminded the attacks against SolarWinds customers last year; they are now using those techniques to attack enterprises on the public cloud. Zur confided in me that XM Cyber Research had uncovered multiple additional techniques that attackers could use to access sensitive data on Microsoft Azure. I asked him if he could share some examples with our TechGenix readers. He provided me with information about three kinds of attacks that we’re sharing here for the benefit of our readers who use or plan to utilize Microsoft Azure as their public cloud provider. Staying on top of the latest developments in cybersecurity is important for IT professionals, and Zur’s descriptions of these attacks and his mitigation recommendations can help organizations keep their assets safe and secure in Microsoft Azure.


Targeting your Azure AD tenancy

The first kind of attacks Zur described are those aimed at gaining total control of an organization’s Azure Active Directory tenancy. “Usually, groups are created to simplify the work process,” Zur says. “For example, when an organization receives a new employee, the organization will add the employee to the relevant department group. This will automatically set some metadata about the employee and assign relevant permissions according to his department.” An attacker with any of the following permissions can change a group’s owners or add group members:

  • Directory.ReadWrite.All
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All

“An attacker that was able to compromise a group’s permissions might exploit this feature for escalation techniques that could lead to full tenant compromise or even on-premises domain compromise,” Zur says.

Zur says that to avoid this hacker opportunity, “companies can employ privileged identity management. This enforces a limit on privileged roles and enables you to see who has access at all times to provide just-in-time access to the environment.”

Targeting your Office 365 services

The next type of attack on your Azure data that Zur talked about are aimed at gaining access to an organization’s Microsoft Office 365 services. “Almost every company has this problem of getting lost in a sea of multiple versions of documents,” Zur says. “It’s difficult to manage and a compliance nightmare. As Microsoft’s OneDrive cloud features advance, many companies are moving almost entirely to the OneDrive cloud.” While this provides incredible convenience and user access, an attacker with any of the following permissions can read and download your OneDrive files in the tenant:

  • Sites.Read.All
  • Sites.ReadWrite.All
  • Files.ReadWrite.All
  • Sites.Manage.All
  • Sites.FullControl.All

“The impact of a successful attack is huge,” he continues. “An attacker can gain access to all the OneDrives related to the attacked tenant. This might expose very sensitive information or lead to further exploitation.

A simple solution? “Use conditional access policies,” Zur says. “For example, enforce multifactor authentication for any user. This means everyone has to verify access to OneDrive through a code sent by email or mobile device. This may feel like a burden to employees. However, it’s the best thing they can do for the security of their critical assets and for the enterprise.”

Targeting your Azure virtual machines and databases

The third Azure attack vector that Zur explained to me is attacks aimed at gaining control of various sorts of Azure IaaS services, such as Azure virtual machines and databases. An attacker with the following permissions will be able to execute commands on on-premises devices managed by Intune MDM solution:

  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.ReadWrite.All

“The impact of abusing this technique is catastrophic,” Zur says. “It means that the attacker is able to pivot from the cloud back to the on-premises environment with NT\Authority SYSTEM permissions. Once the attacker has gained access to the on-premises environment, they will be able to move laterally for further exploitation. Mitigating this strategy can be achieved by continuously monitoring and auditing your resource manager (which manages all the infrastructure provided by Microsoft) and Azure Active Directory (which manages your identities).”

Final thoughts on keeping your Azure data safe

Zur summarizes by saying that the techniques XM Cyber Research discovered should not be considered vulnerabilities, because vulnerabilities are errors. “The techniques I’ve described involved Microsoft’s design features, which are very beneficial to customers. Nonetheless, if abused by an attacker, they can lead to catastrophic damage. Microsoft is continuously developing features to help organizations better manage their Azure environment. However, as hackers become more clever, attack path management will remain necessary. The nature of these techniques resides in the misconfiguration category. It’s not that Azure is filled with flaws. It’s just that hackers know where to go and, unfortunately, you don’t — yet.

He finishes by saying that “At XM Cyber, we are continuously looking for new attack vectors within cloud or on-premises environments. Upon learning of this attack, we ran some simulations using our technology and uncovered that there remain multiple additional techniques attackers could use to access sensitive data on Microsoft Azure.” Let’s hope they can continue this good work they’re doing at XM Cyber so our business assets stored in Microsoft Azure can remain safe and secure.

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Published by
Mitch Tulloch

Recent Posts

How to delete files and folders using PowerShell

Do you want to delete files and folders using PowerShell? We have you covered! Read…

7 hours ago

The Major Barriers to SMB Cybersecurity

Small and medium-sized businesses (SMBs) are a less resistant target for cyber attackers. This is…

8 hours ago

Review of Letsignit

Letsignit is determined to become a world leader in corporate email signatures. Here's our review.

1 day ago

How to make cybersecurity a priority for the board

Despite the increase of major cyber-attacks and data breaches, cybersecurity only temporarily receives serious attention…

1 day ago

Do's and Don'ts for Writing a Stand-out Cybersecurity Resume

The growth of the cybersecurity industry has opened up gates for numerous work opportunities. What…

1 day ago

Hackers: the New Ghosts in the Machine

Cyber threats are on the rise, which has brought a new level of danger for…

2 days ago