Attacks through the cloud, and how to prevent them

In a recent blog post, Microsoft revealed that more than 140 resellers and technology service providers have been targeted by the Russian nation-state actor Nobelium through the Azure cloud service.

The news "knocked the cyber world off its feet,” according to Zur Ulianitsky, head of security research at XM Cyber. “After they [Nobelium] successfully executed the infamous SolarWinds attack of 2020, it would appear they have moved on to attack enterprises on the public cloud.”

He says this led XM Cyber to question how else Nobelium and other bad actors could carry out attacks through the cloud.

“With our advanced attack simulation tool, we uncovered many more routes hackers can use to access critical data on Microsoft Azure. Our data revealed that these entry points are not the fault of poor design, but rather that these hackers are exploiting friendly and intuitive user design,” Ulianitsky explains.

There are several ways hackers can put data at risk, and also ways to stop them. Attackers could, for example, gain total control of an organisation’s Azure active directory tenancy,  he says. 

“When an employee joins a new company, they are typically added to one or several group permissions, depending on their role within the organisation. This metadata attached to the employee’s log-in information will assign relevant permissions according to their department it’s standardised and convenient.”

However, Ulianitsky says it poses a problem, because a bad actor with either Directory.ReadWrite.All, Group.ReadWrite.All or GroupMember.ReadWrite.All permissions, can change a group’s owners or add group members.

Enterprises shouldn’t have to sacrifice intuitive convenient design because of hackers.

Zur Ulianitsky, XM Cyber.

And if an attacker is able to compromise a group’s permissions, they can exploit this feature to trigger other actions that could lead to full compromise or even on-premise domain compromise.

Ulianitsky say privileged identity management (PIM) can help enterprises avoid this hacker opportunity. PIM adds an additional layer of protection by enforcing a limit on permissions while enabling users to see who has access at all times, providing just-in-time access to the environment.

Attackers could also gain access to an organisation’s Office365 services.

“With more collaboration occurring than ever before, the cloud has become a life saver for busy professionals needing to transition between multiple devices or share information across departments,” Ulianitsky says.

While OneDrive is a welcome Microsoft feature, any document can be seen and stolen if an attacker has one or more of the following permissions: Sites.Read.All, Sites.ReadWrite.All, Files.ReadWrite.All, Sites.Manage.All, and Sites.FullControl.All.

This type of breach, says Ulianitsky, can be devastating. These days, access to an entire OneDrive file could mean exposing very sensitive information that can be escalated to further exploitation.

“That’s why conditional access policies are the ideal solution. Multi-factor authentication should be enforced for any user. All users should need to verify OneDrive access through a unique code sent to their mobile device or email address. It’s an extra step, but ultimately it may be the most important step for every tenant.”

With our phones being essential to our business and personal lives, protecting mobile devices is just as important as securing any other work device, he adds.

“Yet, an additional device means an additional opportunity to hack. An attacker with DeviceManagementConfiguration.ReadWrite.All or DeviceManagementManagedDevices.ReadWrite.All permission, will be able to execute commands for on-premise devices managed by Intune MDM solution.”

The consequences of abusing this strategy can be catastrophic, says Ulianitsky. “It means the attacker would be able to comfortably oscillate between the cloud and the on-premise environment with NT\Authority SYSTEM permissions. Once the attacker is in the on-premise environment, they will only have to move laterally for further exploitation.”

Monitoring and auditing is the easy solution, he explains. “Your resource manager manages all the infrastructure provided by Microsoft and Azure Active Directory which manages your identities. By keeping eyes on these two regularly, you can identify and seize upon any disruptions.”

He says it is worth noting that the techniques XM Cyber Research discovered are not vulnerabilities, or errors caused by poor security hygiene.

“Microsoft has a smart, user-friendly product that businesses can’t get enough of. The hacking techniques we discovered are just clever loopholes that can lead to crises if an attacker catches on.”

But enterprises shouldn’t have to sacrifice intuitive convenient design because of hackers, he adds.

“Microsoft improves their product regularly to help companies better manage their security. However, hackers are always a few steps ahead, so attack path management is the only way to keep them behind. This means identifying every possible way that an attacker could pivot through the network to reach the company’s critical assets. Only by viewing the network through the eyes of the attacker can a business successfully defend against their attacks,” Ulianitsky concludes.