I was talking recently with Zur Ulianitsky, head of security research at XM Cyber about a recent blog post I had read where Microsoft revealed that more than 140 resellers and technology service providers have been targeted by the Russian nation-state actor Nobelium through the Azure cloud service. This is the same hacking group that masterminded the attacks against SolarWinds customers last year; they are now using those techniques to attack enterprises on the public cloud. Zur confided in me that XM Cyber Research had uncovered multiple additional techniques that attackers could use to access sensitive data on Microsoft Azure. I asked him if he could share some examples with our TechGenix readers. He provided me with information about three kinds of attacks that we’re sharing here for the benefit of our readers who use or plan to utilize Microsoft Azure as their public cloud provider. Staying on top of the latest developments in cybersecurity is important for IT professionals, and Zur’s descriptions of these attacks and his mitigation recommendations can help organizations keep their assets safe and secure in Microsoft Azure.
Targeting your Azure AD tenancy
The first kind of attacks Zur described are those aimed at gaining total control of an organization’s Azure Active Directory tenancy. “Usually, groups are created to simplify the work process,” Zur says. “For example, when an organization receives a new employee, the organization will add the employee to the relevant department group. This will automatically set some metadata about the employee and assign relevant permissions according to his department.” An attacker with any of the following permissions can change a group’s owners or add group members:
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
“An attacker that was able to compromise a group’s permissions might exploit this feature for escalation techniques that could lead to full tenant compromise or even on-premises domain compromise,” Zur says.
Zur says that to avoid this hacker opportunity, “companies can employ privileged identity management. This enforces a limit on privileged roles and enables you to see who has access at all times to provide just-in-time access to the environment.”
Targeting your Office 365 services
The next type of attack on your Azure data that Zur talked about are aimed at gaining access to an organization’s Microsoft Office 365 services. “Almost every company has this problem of getting lost in a sea of multiple versions of documents,” Zur says. “It’s difficult to manage and a compliance nightmare. As Microsoft’s OneDrive cloud features advance, many companies are moving almost entirely to the OneDrive cloud.” While this provides incredible convenience and user access, an attacker with any of the following permissions can read and download your OneDrive files in the tenant:
- Sites.Read.All
- Sites.ReadWrite.All
- Files.ReadWrite.All
- Sites.Manage.All
- Sites.FullControl.All
“The impact of a successful attack is huge,” he continues. “An attacker can gain access to all the OneDrives related to the attacked tenant. This might expose very sensitive information or lead to further exploitation.
A simple solution? “Use conditional access policies,” Zur says. “For example, enforce multifactor authentication for any user. This means everyone has to verify access to OneDrive through a code sent by email or mobile device. This may feel like a burden to employees. However, it’s the best thing they can do for the security of their critical assets and for the enterprise.”
Targeting your Azure virtual machines and databases
The third Azure attack vector that Zur explained to me is attacks aimed at gaining control of various sorts of Azure IaaS services, such as Azure virtual machines and databases. An attacker with the following permissions will be able to execute commands on on-premises devices managed by Intune MDM solution:
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.ReadWrite.All
“The impact of abusing this technique is catastrophic,” Zur says. “It means that the attacker is able to pivot from the cloud back to the on-premises environment with NT\Authority SYSTEM permissions. Once the attacker has gained access to the on-premises environment, they will be able to move laterally for further exploitation. Mitigating this strategy can be achieved by continuously monitoring and auditing your resource manager (which manages all the infrastructure provided by Microsoft) and Azure Active Directory (which manages your identities).”
Final thoughts on keeping your Azure data safe
Zur summarizes by saying that the techniques XM Cyber Research discovered should not be considered vulnerabilities, because vulnerabilities are errors. “The techniques I’ve described involved Microsoft’s design features, which are very beneficial to customers. Nonetheless, if abused by an attacker, they can lead to catastrophic damage. Microsoft is continuously developing features to help organizations better manage their Azure environment. However, as hackers become more clever, attack path management will remain necessary. The nature of these techniques resides in the misconfiguration category. It’s not that Azure is filled with flaws. It’s just that hackers know where to go and, unfortunately, you don’t — yet.
He finishes by saying that “At XM Cyber, we are continuously looking for new attack vectors within cloud or on-premises environments. Upon learning of this attack, we ran some simulations using our technology and uncovered that there remain multiple additional techniques attackers could use to access sensitive data on Microsoft Azure.” Let’s hope they can continue this good work they’re doing at XM Cyber so our business assets stored in Microsoft Azure can remain safe and secure.
Featured image: Shutterstock
