Are you letting attackers log in to your cloud?

Eric Woodruff at Semperis explains how attackers can access Entra ID environments via Active Directory

 

The rise of hybrid architectures, with on-premises and cloud combining to create a single IT infrastructure, may have brought many operational benefits, but it has also considerably opened up the attack surface.

 

Few organisations realise their cloud data can potentially be compromised if cybercriminals gain access to their on-premises identity systems, for instance.

 

In hybrid infrastructures, Microsoft Active Directory (AD), the identity system used by over 90% of Fortune 1000 businesses, is typically synchronised with its cloud-based counterpart, Entra ID. If this setup is not correctly configured, attackers could jump straight from a compromised on-premises system into the cloud environment.

 

To a certain extent, this is made possible because the out-of-the-box configuration of Entra ID leans towards usability. Pairing AD with Entra ID using Microsoft Entra Connect allows user accounts, groups and passwords to be synchronised between the two identity platforms so that users can access applications housed in the cloud or on legacy systems from any location and over any device.

 

This connection creates a seamless experience for users. However, the synchronicity also means that if further controls aren’t enacted, an attacker who has successfully taken over an account in AD can use that connection to EntraID to compromise the victim’s cloud environment.

 

Identity inertia

Such attacks are often made possible through misconfiguration of the two identity systems – a common problem because many organisations assume that Entra ID is secure by default. In fact, the default password policy in Entra is what many would consider weak, with a minimum 8-character count and 3 out of 4 character types.

 

And while Entra ID does boast some strong security features, such as multi-factor authentication (MFA), passwordless and phishing-resistant authentication and conditional access policies, these must be set up correctly to be effective.  

 

The problem is that organisations that have relatively weak password policies for AD then also tend to set up weak conditional access policies that do not require MFA from hybrid or compliant devices or from a corporate network. This sees the single password become the only security barrier, enabling threat actors to move with ease from one to the other.

 

Issues can also occur where the same access privileges are used to access both systems. Microsoft offers nearly 100 roles in Entra ID, but as the use cases and abilities are not always clearly defined, there’s a tendency to assign the Global Administrator, the most powerful and privileged role in Entra ID, and equivalent to Domain Administrator in AD, far too liberally. Therefore, it’s vital that organisations implement proper privilege management.

 

Similarly, a lack of understanding over how the Microsoft shared responsibility model works can see businesses fail to implement their own security measures. Since Entra ID is a SaaS platform, Microsoft and the customer share the responsibility for maintaining the identity and directory infrastructure.

 

While Microsoft manages the underlying infrastructure, customers are responsible for the management and security of the identities themselves as well as the customer-facing part of the platform, with things like conditional access that are ultimately used to secure access to data, again the customer’s responsibility.

 

Attacks against EntraID

By failing to adequately secure both their AD and EntraID, organisations inadvertently create attack paths that can allow attackers to bypass controls, establish persistent access or remotely log in to cloud systems.

 

Entra ID users who were also privileged users in AD were identified as one of the most common vulnerabilities in Semperis’ latest Purple Knight Report, which explores the issues frequently discovered in identity architectures. Among the most prevalent Entra ID vulnerabilities were inactive guest accounts, leaving an open gate to the Entra ID tenant, and users who were eligible for privileged roles.

 

Microsoft itself has confirmed there were 25.6bn brute-force authentication attacks against Entra ID in 2021 and there are numerous documented cases of the system being compromised via AD. One notable example is Storm-0501, which Microsoft reported on back in September. In one reported instance, the threat actor was able to use credentials from Active Directory to gain access to the Entra Connect server.

 

Having gained access to the server, the threat actor was able to exfiltrate the Entra ID Directory synchronisation account from the Entra Connect server, providing the threat actor with highly privileged credentials in Entra ID.

 

Likewise, Microsoft observed that a highly-privileged user in Active Directory – a Domain Administrator – was synchronised to Entra ID where the user was also highly privileged with Global Administrator rights. As the organisation had MFA disabled on this account, this created an extremely short and highly privileged path directly from AD to Entra ID. With privileges in the cloud, the threat actor established persistence with a backdoor. Once sufficient control had been established and sensitive files extracted, the attacker went on to deploy ransomware across the entire network.

 

Hardening hybrid identities

Such attacks illustrate the importance of restricting privileged access to reduce the identity systems’ attack surface. Highly privileged users in Entra ID should be cloud-native and not synchronised from Active Directory.

 

Likewise, highly privileged users in Active Directory, such as Domain Administrators, should be excluded from synchronisation. In the Storm-0501 scenarios, combining the two bad practices greatly increases the path for compromise of both AD and Entra ID.

 

Organisations should also ensure that privilege separation exists between the user account for daily activities, such as checking emails and browsing the web, and the privileged user account.

 

Lastly, it’s important that organisations restrict highly privileged access to a privileged access workstation (PAW).

 

Lax conditional access policies must also be addressed. Organisations should have a baseline MFA policy in place, but as threat actors continue to evolve and traditional means of MFA are now phished with commodity tools, it’s necessary to move towards phishing-resistant authentication with Windows Hello for Business and passkeys.

 

In any system, misconfigurations can accumulate over time. For this reason, it’s advisable to carry out regular vulnerability assessments of the directory services. A vulnerability scan should look for potential weaknesses across both the enterprise estate, covering configuration for all users, as well as weaknesses that are specific to privileged users. Run regularly, these assessments can enable organisations to both improve their cyber hygiene and stay ahead of emerging threats.

 

There are a number of tools available to assess the health of AD and Entra ID. Microsoft offers Identity Secure Score and Microsoft Secure Score within Entra ID and Microsoft 365 which define key security settings and provide a general sense of how secure the environment is. Administrators can dig deeper to understand the context of the risk and determine if the security setting is something they can remediate on their own or if they need to bring in a third party.

 

Remediating issues

Going beyond Secure Score, there are free tools such as Purple Knight, which is recognised by the Five Eyes Alliance (comprised of law enforcement and security agencies from the United Kingdom, the United States of America, Canada, Australia and New Zealand) as a means to assess AD/Entra ID.

 

A security assessment tool built and managed by Microsoft identity experts, Purple Knight goes into greater depth and can be used to highlight and provide remediation advice on specific weak points. For instance, rather than just looking at whether the hybrid architecture is built as designed, it will determine if security can be strengthened by adjusting or configuring it in a certain way.

 

Finally, organisations should continually monitor their hybrid identity architecture for threats. Purpose-built identity threat detection and response (ITDR) platforms can capture changes to role assignments, group memberships or user attributes which are typically missed by agent or log-based detection. Being able to speedily spot, evaluate and automatically roll back these changes can prevent an attack in its tracks.

 

There’s no doubt that securing both legacy and modern identity management systems presents real challenges, but businesses must address these to stop AD from being used to compromise the cloud. The hybrid identity model is expected to remain dominant, with Gartner stating that only 3% of organisations will have migrated away from AD to a cloud-based identity provider by year end, and attackers are all too aware of this fact.

 

By ensuring identity systems are correctly configured and monitored, businesses can greatly reduce the potential for attack.

 

---

 

Eric Woodruff is Chief Identity Architect at Semperis

 

Main image courtesy of iStockPhoto.com and Tero Vesalainen