UPDATED Cyber-attacker tradecraft has long relied on using compromised access to a PC on a targeted network as a stepping-stone to hack into juicier targets such as domain controllers.
Security researchers at cybersecurity technology vendor Varonis have shown that if an on-premises IT environment is compromised, then an attacker can similarly use this access to pivot and attack an organization’s Azure environment.
Varonis researcher Eric Saraga found that it was possible to manipulate an on-premises server called an Azure agent, so that an attacker can establish a backdoor and gather user credentials from the cloud.
Skeleton key attack
The Azure agent server synchronizes Azure Active Directory (AD) with an organization’s on-premises Active Directory installation.
The attack developed by Saraga exploits ‘pass-through authentication’, a method that installs an Azure agent on-premises that authenticates synced users from the cloud. This is one of several authentication methods supported by the technology.
The researcher created a proof-of-concept that manipulates the Azure authentication function so that it’s possible to create a form of ‘skeleton key’ password on an Azure agent.
The skeleton key allows an attacker to escalate privileges to global admin and gain access to an organization’s on-premises environment.
The hack, if carried out successfully, would allow an attacker to extract usernames and passwords related to a particular corporate entity.
Potential assaults can be blocked by securing accounts using multi-factor authentication technology. Other defenses would include active monitoring of Azure agent servers.
Pre-pwned servers
In response to questions from The Daily Swig, Saraga acknowledged the exploit he demonstrated against a specific Azure environment is only possible after hacking into a corporate system through some other mechanism.
“To compromise the agent, an attacker has to have control over the agent server, which are typically installed in an on-prem environment,” Saraga explained.
“Though these servers shouldn’t be directly accessible via the internet, it’s possible that an attacker could reach them by compromising another internal host or remote entry point.
“Once the agent is compromised and the attacker installs the skeleton key, the attacker can connect to the Azure environment as any synchronized user from anywhere,” he added.
Out of scope
Microsoft has downplayed the impact of the potential security threat discussed by Varonis.
The company told Varonis that, after reviewing the issue, it had decided there was no need for remediation work on its technologies.
“This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering,” Microsoft Security Response Center told Varonis.
“For this issue, the attacker needs to compromise the machine first before they can take over the service.”
A Microsoft spokesperson told The Daily Swig: “The technique described does not pose a serious security risk as it requires an attacker to compromise a secure machine and obtain administrative privileges. We do not plan to address it with a security update.”
Saraga urged organizations to lock down their Azure environments in order to defend against possible attacks.
“As this technique becomes common knowledge, there’s no reason to expect it wouldn’t be as likely to occur as other attacks against critical servers, [such as] a DCShadow attack against a domain controller,” Saraga told The Daily Swig.
“In terms of impact, this attack is considerable, as it allows the attacker to collect cleartext passwords quickly, and without MFA, allows easy remote logins as any user, including a global administrator that allows complete control over the organization’s Azure cloud.”
Varonis isn’t the first security researcher to uncover this particular issue on Microsoft Azure. Last year, Adam Chester discovered a way to exploit pass-through authentication in an Azure environment. Varonis has updated its blog post to acknowledge this prior work.
