Mantén tu Directorio Activo de Azure Protegido

Keep your Azure Active Directory Protected

May 20, 2024 Celia Catalán

Whenever we talk about cybersecurity we think about the servers that we have hosted in our company and we worry about their exposure to the outside world and the impact that the compromise of any resource on our network could have. However, there are already many companies that use cloud services or hybrid systems to deploy their infrastructure.

Today we are going to talk about Azure, and what are some of the entry points that some attackers exploit to compromise an organization and we will also give some basic security recommendations.

Entry Vectors to Azure AD

Vulnerable Applications + Managed Identities:

Azure is often used to expose old applications and add a layer of security, however, an application with vulnerabilities still has them just because it is uploaded to the cloud. In this case, when an application is deployed in Azure, a Managed Identity is associated with it, that is, an Azure account that will be used by the application and to which the necessary permissions will be assigned to access different resources such as databases or Key Vaults within the organization.

In the event that an attacker manages to exploit an RCE or SSRF type vulnerability in the application, they could be able to obtain the Access token of the Managed Identity, thus being able to impersonate this account and use it to access the organization and its resources, and since these types of accounts are not intended to be used by a person, they do not have MFA.

To try to reduce the chances of this input vector being used, the following is recommended:

Analyze and mitigate vulnerabilities in exposed applications.

Limit Managed Identities permissions as much as possible.

Monitor the actions of Managed Identities to detect any action that differs from their expected use.

Azure Blobs Exposed:

Azure blobs are an object storage service for the Azure platform. It is common for users not to properly restrict the permissions of the blobs they create, so they can be enumerated using tools like MicroBurst. On the other hand, it is also possible to share access to these blobs through links. When sharing resources with links, it can be done using Share Keys or Shared Access Signature, both options can allow the duration of the link to be very long or even never expire, thus giving access to any attacker who obtains the generated link.

Here are some recommendations for protecting your organization's blobs:

Educate employees so that they do not store sensitive information in these resources and that they correctly manage permissions.

Frequently review public blobs to ensure none are public.

Limit duration of links to blobs.

Absence of MFA + Leaks:

When we talk about on-premise active directory, there is usually a layer of security before being able to access the organization, whether it is physical access to the network or through VPN. This is why, even if credential leaks occur, attackers must also gain access to the organization. However, Azure services are exposed on the internet, so if an attacker manages to compromise an Active Directory account, they could be able to access the Azure domain and enumerate it completely despite not having access to the internal network.

To reduce the chances of being attacked using this vector, it is recommended:

Continuously investigate exposed information from the organization in order to detect compromised credentials so they can be changed.

Set mandatory MFA for all accounts.

Implement controls in the Conditional Access Policy to restrict access to the Azure domain only from permitted locations.

Phishing:

Phishing attacks are a common tactic used by attackers to trick users into obtaining their credentials. Additionally, techniques such as Ilicit Consent Grant Attack can be used, so that instead of obtaining the victim's credentials, the attacker tries to obtain an Access Token from the user, which could be used to access domain resources. Phishing attacks that use these types of techniques are extremely dangerous, since legitimate Microsoft systems are used for the victim to delegate their permissions to an application controlled by the attacker and thus obtain the aforementioned Access Token.

To reduce the impact it is recommended:

Raise awareness among employees about these and other phishing techniques so that they learn to recognize and avoid them.

Limit user permissions in the Azure domain as much as possible.

Persistence through user invitation:

When an attacker gains access to an asset, they always try to gain persistence on the target, this way they can continue listing after the initial compromise. There are several techniques to establish persistence, but the simplest is to use Azure's invite users feature, since by default an Azure account can invite external users. These users will not have elevated permissions, but could list domain information.

As a mitigation, it is recommended to disable this feature so that users cannot give guest access to the tenant.