By Russell Smith and Azure Security News
The SolarWinds hack at the end of 2020 highlighted ways in which hackers can use compromised applications and forged security assertion markup language (SAML) tokens to move into cloud environments from on-premises systems, including Microsoft environments. The Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT recently issued an alert warning about the malicious activity and providing information on how IT can secure on-premises and cloud systems to detect and prevent the threats.
The issues discovered with SAML tokens are not unique to Microsoft’s systems. SAML is an open standard that’s used to facilitate user logons to federated systems. Hackers were able to forge SAML tokens and impersonate users, including those with privileged access. Once hackers obtain privileged access to the Microsoft cloud, they can establish entry that is persistent and difficult to detect.
The built-in security and monitoring features in Azure Active Directory (AD), the identity management solution used to authenticate users in Microsoft 365, should be able detect anomalies in SAML authentication. Nevertheless, healthcare organizations are advised to follow Microsoft’s best-practice advice, as well as the mitigations published by CISA and US-CERT, to make sure their cloud tenants are properly secured.
Protect Microsoft 365 Hybrid Environments
Connecting Microsoft 365 to on-premises systems can allow hackers to move laterally to the cloud if IT doesn’t follow some simple best practices. Hospitals and other healthcare providers should use Azure AD Connect to synchronize accounts and password hashes to the cloud or use pass-through authentication. Active Directory Federation Services provides few advantages for connecting Windows Server Active Directory to Azure AD, and it introduces risks that can make Azure AD vulnerable.
Objects synchronized to Azure AD should never hold cloud privileges beyond “standard user.” This ensures that compromised on-premises accounts can’t be used for malicious purposes in Microsoft 365. Hospitals should check that objects synchronized from on-premises AD don’t inherit elevated cloud privileges from Azure AD roles or groups.
Azure AD administrator accounts should always be created in the cloud and protected using multifactor authentication. Azure AD Conditional Access policy can be used to further secure privileged cloud accounts, which should only be accessed from Azure managed workstations.
Detect Compromised Microsoft 365 Accounts With Open-Source Tools
CISA recently released a PowerShell-based tool to help detect compromised Microsoft Azure accounts and applications by highlighting activity that might be considered unusual and potentially malicious. The tool, called Sparrow, is for incident responders and is specifically designed to detect threats like the recent authentication-based attacks highlighted during the SolarWinds hack.
Sparrow is available for free on GitHub, and it helps IT teams narrow down user and application activity that could suggest authentication-based attacks. Sparrow checks Azure’s unified audit log for signs of compromise, lists Azure AD domains, and checks service principals and Microsoft Graph application programming interface permissions.
CrowdStrike also has a PowerShell reporting tool for Azure AD that can detail permissions and configuration settings that are hard to see using Azure tools. The CrowdStrike tool shows mail forwarding rules for remote domains, Exchange Online PowerShell–enabled users, and service principal objects with keyCredentials. Like Sparrow, the CrowdStrike Reporting Tool for Azure (CRT) is free to use and is available on GitHub.
Hawk is another free PowerShell tool that can be used to collect data from Azure and Microsoft 365. It provides incident responders with information on specific user principals or entire Microsoft 365 tenants, including IP addresses and sign-in data. Hawk also lets organizations track IP use for concurrent logins.
Audit, Collect and Store Microsoft 365 Log Data for Threat Hunting
Regardless of the tools they use, healthcare organizations should monitor the creation and use of service principal credentials, trust relationships added to Azure AD and assignment of credentials to applications that allow noninteractive sign-in. Interactive sign-in data should be collected from Azure and analyzed using security information and event management solutions such as Splunk or Microsoft Sentinel. SIEM also helps organizations retain log data for historical analysis.
Enforce Strong Authentication for All Users
The preliminary focus of recent attacks was on initial access via compromised code in SolarWinds Orion. But CISA says it has observed cases where hackers have gained initial access using simple password-based attacks, such as password guessing and password spraying. There have also been cases of initial access using poorly secured admin or service credentials. Once initial access is gained, hackers are able to use other techniques to elevate privileges, and bypass identity controls and multifactor authentication.
Healthcare providers should make sure that protections are in place for securing cloud and on-premises accounts. Multifactor authentication, security keys, Azure Conditional Access and Azure Identity Protection can all be used to reduce the risk of account compromise. And managing users’ devices with mobile device management tools improves security by reducing dependency on Windows Server AD.
Many of the advanced security and logging features in Microsoft 365 require an Azure AD Premium P1 or P2 license. Microsoft 365 G3 and E3 licenses provide only 90 days of auditing, but the advanced auditing license included in the G5 and E5 plans retains information in Azure for one year. SIEM tools let organizations store log data for much longer.
Azure Global Administrator rights are required to collect all the information needed to detect authentication-based attacks. Because of the privileges required, access to detection tools such as Sparrow — and the devices they run on — should be carefully monitored to ensure they can’t be used to compromise Microsoft 365.