How Hybrid Cyberthreats are Exploiting Digital Identities

What are hybrid threats?

In the cybersecurity world, hybrid threats leverage the vulnerabilities and security gaps present in hybrid environments—those that combine on-premise and cloud. Threat actors use various techniques to move seamlessly between on-premise systems and cloud infrastructure to exploit digital identities. These gaps in protection are often caused by security models and controls that have yet to adequately account for new cloud technologies, as well as the exponential growth of accounts and identities that has bloated the attack surface.

McKinsey suggest that there is $1 trillion of potential business value at stake for North American Fortune 500 companies adopting the cloud. While cloud does indeed offer a lot of value, it is not without risk. Leaders and technologists must quickly learn new technologies and rethink security models and controls—often on the fly. This is leaving many with the sinking feeling that they are running with scissors.

In the worst cases, the speed, scalability, and global availability of cloud computing that made it so attractive to the organization are directly leveraged and abused by threat actors. No longer do they have to breach the network, capture credentials, exploit endpoints and move laterally all while remaining undetected. With cloud, they can simply enter some compromised credentials or present a hijacked access token and the cloud environment, and all its secrets are laid bare in front of them without ever stepping foot inside the corporate network.

In this and subsequent blog posts, we are going to look at examples of these risks and detail some of the techniques used by threat actors to exploit identities, privileges, and hidden attack paths. Let’s start with the wonderfully named Mango Sandstorm. We’ll take a look at their exploitation of hybrid environments and the techniques and accounts they use to move seamlessly between on premise systems and cloud infrastructure.

Who are Mango Sandstorm?

Mango Sandstorm, also known as DEV-1084, Mercury or Muddywater threat actors, are Iranian threat actors allegedly linked to Iran's Ministry of Intelligence and Security (MOIS). In the past they have targeted Middle Eastern nations, but they have been expanding into Europe and North America, primarily targeting telecommunications, oil, and government sectors.

Mango Sandstorm mainly focuses on intelligence gathering and have been observed using a wide variety of techniques to maintain access to victim networks including making use of a number of open source and off the shelf tools.

One of the more notable techniques they use is deploying ransomware to cover their tracks at the end of an operation. This ransomware smokescreen not only distracts security teams from their activity, but allows the attackers to destroy evidence of their activities along the way and potentially frame other threat actors for the breach.

Another notable technique Mango Sandstorm uses is the hybrid attack chain.

What is the hybrid attack chain?

The hybrid attack chain represents a series of steps a threat actor or threat group will take to gain access to and then move laterally through a network. The Mango Sandstorm group will use a variety of tactics to gain initial access to a network. These tactics can include spear phishing and exploiting vulnerabilities on internet exposed servers, notably making extensive use of Log4j exploits. Once they have gained an initial foothold, their first order of business is to gain local administrative rights and use tools such as Mimikatz to dump credentials that they will then use to move laterally within the network.

So far, we are describing a fairly classic attack chain; however, in a recent attack, the threat actors used on-premise privileged account credentials they had captured to move laterally onto a system used to run Azure AD Connect. Azure AD Connect is an on-premise application that helps organizations manage hybrid identities by synchronizing on-premise Active Directory (AD) with Azure AD.

How did threat actors activate the hybrid attack chain using Azure AD Connect?

During the setup of the Azure AD Connect tool, multiple accounts are created in both the on-premise AD and cloud Azure AD environments. The permissions given to these accounts vary depending on the features used, but generally they will be able to replicate directory changes as well as modify passwords and groups. In the case of this breach, the permissions had been set by DirSync (an old solution), which, by default, granted Global Administrator permissions, making the accounts a very attractive target.

Having gained access to the on-premise system, the threat actors were able to launch the AADInternals tool and use the Get-AADIntSyncCredentials function. This allows a local administrator to extract plaintext credentials for both the highly privileged Azure AD connector account and the AD DS Connector account. As the privileged cloud account was only used by a machine identity, it did not have any multi-factor authentication (MFA) enabled. This meant that it was trivial for the threat actors to access cloud resources within Azure using the stolen Azure AD connector credentials.

Once in Azure, the threat actors leveraged their permissions to gain access to management groups and Azure subscriptions. They were able to grant full_access_as_app and administrator consent permissions to an existing Exchange OAuth application and add certificates, which can be used as credentials for authentication and issuing access tokens. This provided full access to the organisation’s mailboxes via Exchange Web Services under the cover of a legitimate enterprise application.

Why are Azure applications a popular access point for threat actors?

Using Certificate Based Authentication and abusing Azure applications is popular with threat actors because it provides an attractive way to maintain passwordless persistence and access privilege within Azure. These were the same type of tactics used in the SolarWinds supply chain compromise. Threat actors will leverage an account with permissions to assign credentials to an Enterprise Application in Azure. They can then use the application credentials to interact with Azure services and access data.

Commonly attackers will:

Find an existing legitimate Azure application with the permissions they need, if this is not available, they will add permission to an existing application.
Use a privileged account to add a new credential to the Azure application. Note: An Azure application can have multiple valid credentials, so this does not impact existing credentials.
Pass the client and tenant ID with the client secret to the client credential grant flow to obtain an access token, which is then used to access data which is accessible to the application.

How are hybrid threats impacting enterprises?

In the rush to the cloud, many organisations have ended up with multiple enterprise applications that either were used for a one-time cloud data migration task and are now unused, or were misconfigured and have a high level of access. If these are compromised, then the threat actor can operate under the cover of a legitimate application and its service principles in much the same way that service accounts in an on-premise AD environment can be misused.

In the case of Mango Sandstorm, these privileged Azure accounts were used to inflict widespread damage and then cover the group’s tracks. The group caused cloud disruption by using their access and privileges to delete servers, virtual machines (VMs), data stores, and services in Microsoft Azure.

Using the privileges they had been able to gain in the on-premise environment, Mango Sandstorm deployed malicious Group Policy to tamper with security controls the organization had in place. They then again used Group Policy to register a scheduled task that launched a ransomware payload, which encrypted files and changed the file extensions to “.DARKBIT”.

Following the mass destruction of data both on-premise and in the cloud, the threat actor group used an Exchange applications credentials to grant ‘Send on behalf’ permissions against high-value mailboxes using a PowerShell cmdlet. This allowed the attackers to send information gathering emails to internal and external email addresses as if they were a senior leader at the organisation.

The end result is a devastating attack that impacts almost every aspect of an organisation, leaving data destroyed, systems unavailable, and reputational damage from compromised mailboxes being used to contact suppliers and 3^rd parties. From this example, it is clear that these hybrid type attacks can quickly turn all the benefits sought by moving to the cloud into a painful lesson.

What best practices can we apply to defend against a hybrid attack?

1. Know your identities, accounts, and privileges - As the saying goes “attackers think in graphs, defenders think in lists.”

It is more important than ever to understand where identities, accounts and privileges exist across your organisation. Threat actors will pivot though your on-premise and cloud infrastructure any way they can. Over-privileged, under protected accounts offer them an easy path.

Identity is the new perimeter for cyberattacks. By compromising an identity, attackers can gain access to a range of accounts, systems, and application—both on-premise and in the cloud. This is why the discipline of identity threat detection and response (identity threat detection and response (ITDR) has emerged. ITDR solutions combine the worlds of Identity Access Management (IAM) and identity security to prevent and mitigate identity-based attacks. The more visibility and understanding you have of the accounts, privileges and access associated with an identity across on-premise and cloud systems, the better positioned you are to proactively protect it. BeyondTrust Identity Security Insights® was developed to provide centralized visibility of identities, accounts, and privileged access across the entire IT estate, along with intelligent recommendations that help proactively reduce risk. With such visibility and insights, you are better poised to understand the blast radius of an attack/breach and respond swiftly and effectively.

2. Provide a strong least privilege foundation - In Mango Sandstorm, the threat actors were able to access a number of privileged accounts on-premise that allowed them to move laterally from their initial access. Tools, such as Mimikatz, rely on having access to local administrator privileges in order to dump credentials. Using Endpoint Privilege Management tools, such as BeyondTrust’s Privilege Management for Windows & Mac and Privilege Management for Unix & Linux, can remove the need for users to be logging in with local administrative privileges that could be misused by an attacker to dump credentials and disable endpoint security.

In addition, privileged password management tools like BeyondTrust Password Safe can be used to discover, manage, and protect privileged accounts. BeyondTrust’s solution provides just-in-time access with a high level of control and auditing to prevent attackers from gaining access to these accounts.

On the cloud side, we also saw that excessive privilege and a lack of conditional access policies allowed the attacker to use a local privileged account to pivot into a cloud privileged account, which they could then use without any real restriction. Bringing privileged accounts under management and taking a least privilege approach and removing privileges or where possible, mitigates many common attack techniques and greatly reduces your attack surface.

3. Control execution – In many recent attacks, threat actors were able to deploy off-the-shelf remote access tools, make use of PowerShell and tools like AADInternals. As these off-the-shelf and native tools are not in themselves malicious, they are less likely to be detected by AV or EDR solutions. Combining application control with privilege management (often accomplished via enterprise endpoint privilege management solutions, such as BeyondTrust’s) provides a powerful defense to reduce an attackers ability to deploy tools and access privileges. This limits the ease with which they can execute, persist, and move laterally.

When it comes to nation-state threat actors, it can feel like a daunting task defending yourself, but by having visibility into the identities, accounts, and privileges in your network; controlling privileges using the Principle of Least Privilege and just-in-time access; and by controlling execution, you make it significantly harder for them. Threat actors like Mango Sandstorm will often rely on over-privileged user accounts, gaps in visibility between systems and the ability to freely execute tools to cause damage, so the more this can be controlled, the more the threat is mitigated.

How do I get better control of my Identity Security challenges?

Identity Security Insights from BeyondTrust helps organizations gain a centralized view of identities, accounts, and privileged access across their IT estate and leverage threat intelligence alongside recommendations to improve their identity security posture.

Identity Security Insights is able to provide visibility of privileged accounts on-premise and in the cloud. Benefit from recommendations that help you proactively reduce risk, and detections that provide visibility into potential active misuse.

In the example of the over-privileged Azure AD Connector account shown above, Identity Security Insights can not only discover the account and its level of privilege, but also zero in on how it is potentially over privileged and not following best security practices by being protected by a conditional access policy.

Identity Security Insights provides game-changing visibility to help organization understand, monitor, and harden their identity security posture in the face of hybrid threats.

Identity Security Insights will be released for general availability for US customers on August 2^nd. If you want to learn more about Identity Security Insights and how BeyondTrust is bringing active threat detection to Privileged Access Management (PAM), visit our website—or contact us to get set up with our free trial.