Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/22/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Cybercriminals Break into the Microsoft Cloud

Microsoft and Trimarc researchers explore the most common attacks against the cloud and effective defenses and mitigation.

Even companies that previously said "no" to cloud are migrating their services and resources to cloud-based infrastructure. As they do, many are concerned about maintaining the cloud's rapid update pace and how the new paradigm exposes them to new types of security threats.

Moving to the cloud is one challenge. Knowing how to secure it afterward is another.

"One of the things I recognize, and certainly see for myself, is keeping up with changes at cloud scale is challenging, to say the least," says Mark Morowczynski, principal program manager at Microsoft. "Organizations go from 'never cloud,' to 'maybe cloud,' to 'cloud is an important business component,' and many are trying to figure out how to determine that risk."

It's a challenge from an administrative and operations perspective, he continues, adding that "ultimately the cloud is a huge paradigm shift for people." From Amazon Web Services to Office 365, there are countless applications that reside in the cloud. Identity protection, security settings, and vendor management are all different to track, and all affect organizational risk.

"We found that many organizations are struggling with what to do once they're in the cloud, and how to secure their cloud tenant," says Trimarc CTO Sean Metcalf. We're seeing a lot of customers are moving to a work-from-anywhere model, and one of the things with that is there's lots of good fundamentals and best practices we want people to be doing correctly."

A common concern among businesses is "I don't know what I don't know," he continues. Many organizations simply don't understand the risks, and they're moving into the cloud unsure of what they're doing. The challenge is compounded for those using Microsoft, Google, and Amazon cloud services, he adds, as security controls are often in different cloud environments.

At this year's Black Hat USA, Morowczynski and Metcalf will discuss threats specific to Microsoft cloud services in their talk, "Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)." The goal, Metcalf says, is to help people understand how to secure Microsoft cloud environments, common mistakes made, and which configurations could make them vulnerable.

"Our approach is very much focused on mitigating real world attacks," Metcalf adds.

One of the threats the duo plan to discuss is password spraying, which Morowczynski says is one of the most common attacks leveraged against Microsoft users. Historically, people have a "predictable pattern" in password reset policies: they change every 30 days and often switch their password to whatever month it is; for example, "July2019!"

Attackers recognize this behavior, he continues, so they keep a list of usernames and test the password against each one. If the system uses a legacy protocol that can't support MFA, the attacker will likely succeed. "Good fundamentals really go a long way in protecting against attacks," he notes, recommending companies abandon legacy authentication in favor of MFA.

Of course, "this isn't a new issue," Metcalf points out. "The on-prem environment password spray is something that's been pretty prevalent. It's just the fact that where the data is, what attackers want to get to, is located in the cloud."

As attackers pivot to the cloud, it's easier for them because the default configuration leaves these services available to the Internet at large, he explains. Organizations want their users to be productive from anywhere; with that access, an intruder could bounce around from a few different IP addresses to attempt to break into an account.

Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says.

The two hope attendees take away a better understanding of security risks inherent to cloud services, how attackers exploit misconfigurations, and where they might be vulnerable. While their content is focused on Microsoft, some attack and defense topics apply to other providers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/22/2019 | 10:08:32 PM
What happened to MS Azure Security Recommendations

"Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says."

Microsoft has a security page that makes recommendations on how to secure the environment in a similar way to AWS. In Azure, they have a "Security Center" section that goes over the things a person needs to secure their environment and it provides guidance on how to enable the compliance aspects related to the site.


Azure Security Center

It seems the biggest problems come from three areas:

  • Having properly trained staff
  • Identify misconfiguration issues found on the "Security Center" page
  • Ensure the compliance aspects are followed per its recommendations

I am curious, there should be a group or a person within the organization to go over the cybersecurity management sections and then perform some Q/A in order to ensure the systems are compliant, if users run Pentesting tools (onsite and/or in the cloud), these tools will tell the user of visible vulnerabilities and provide recommendations.


Just a thought.


Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.