Microsoft Details Attack Methods Using Azure AD Connect

Microsoft explained last week how purported nation-state attackers were able to "manipulate the Azure Active Directory (Azure AD) Connect agent," and then destroy a victim's Azure environment.

The unknown attackers used similar tools associated with Iran-affiliated attackers. Microsoft labels Iranian-affiliated attackers as "Mercury." This group initiated the network access, apparently via Log4j vulnerabilities, and then handed off operations to a "DarkBit persona," labelled "DEV-1084," which the Microsoft team viewed as an obfuscation attempt. The aim of the attackers was to delete data or cause denial of service, with the attack masquerading as a ransomware attack.

The attackers had access to two highly privileged accounts, including an Azure AD Connector account, but they accomplished their destructive goals by exploiting how the account had been set up. It had been set up using older DirSync technology, which required having Global Administrator privileges. They also used the Remote Desktop Protocol (RDP) to bypass multifactor authentication (MFA) protections.

Here's how Microsoft characterized the attack scenario:

On the day of the ransomware attack, the threat actors executed multiple actions in the cloud using two privileged accounts. The first account was the compromised Azure AD Connector account, which had Global Administrator permissions as it was set up for an old solution (DirSync). For the second account, which also had Global Administrator permissions, the threat actors leveraged RDP for access into the account. Even though this account had MFA in place, the threat actors accessed it through RDP, which is an open session that evades MFA blocking their activities.

The attackers used an account with Global Administrator privileges, obtained via Azure Privileged Identity Management, to target the victim's Azure subscriptions, "deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks," Microsoft explained. They also used "an existing legitimate OAuth application" to gain full access to Exchange Web Services mailboxes, which enabled e-mail impersonation.

Microsoft's Advice
Microsoft had some suggestions to organizations on how to avoid such attacks.

To protect on-premises infrastructures, organizations should use Microsoft Defender for Endpoint's tamper protection capability to block "antivirus tampering and misconfiguration by malicious apps and actors." They can also enable a Microsoft Intune Group Policy Object setting to block the "modification of antivirus exclusions," which is called "DisableLocalAdminMerge."

To protect Azure AD resources, Microsoft recommended enabling Conditional Access policies and continuous access evaluation. IT pros should search audit logs for the "SendAs operation," which can show if attackers may be using a compromised mailbox to send e-mails. Microsoft also recommended following its "Azure Identity Management and access control security best practices."

The DirSync Security Problem
As noted by Microsoft Most Valuable Professional Paul Robichaux, Azure AD Connect "creates two privileged accounts," one for the customer's premises (Active Directory Domain Services) and the other for Azure services. The problem, though, really resides in DirSync, the "processor of Azure AD connect."

DirSync requires having Global Admin rights. IT pros who updated to Azure AD Connect from DirSync may have inadvertently created a security hole.

"If you installed DirSync and then updated to Azure AD Connect, that service account will still have the same rights," Robichaux wrote in this article.

Robichaux echoed Microsoft's advice but also offered the practical tip of auditing accounts with Global Administrator (GA) rights.

"Removing GA rights from the Azure AD connector account wouldn't have stopped this attack because the attacker also compromised a separate privileged account, but it would have made things more difficult," he noted.

MFA should be applied to all privileged accounts. IT pros should monitor "Azure AD connector and AD DS connector accounts" for unusual activities as well, Robichaux added.

Microsoft had plans to deprecate DirSync on April 13, 2017, but it's not clear exactly when it fell out of support. Why DirSync's Global Administrator permissions were still present after upgrading to Azure Active Directory Connect wasn't explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube