Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/22/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Cybercriminals Break into the Microsoft Cloud

Microsoft and Trimarc researchers explore the most common attacks against the cloud and effective defenses and mitigation.

Even companies that previously said "no" to cloud are migrating their services and resources to cloud-based infrastructure. As they do, many are concerned about maintaining the cloud's rapid update pace and how the new paradigm exposes them to new types of security threats.

Moving to the cloud is one challenge. Knowing how to secure it afterward is another.

"One of the things I recognize, and certainly see for myself, is keeping up with changes at cloud scale is challenging, to say the least," says Mark Morowczynski, principal program manager at Microsoft. "Organizations go from 'never cloud,' to 'maybe cloud,' to 'cloud is an important business component,' and many are trying to figure out how to determine that risk."

It's a challenge from an administrative and operations perspective, he continues, adding that "ultimately the cloud is a huge paradigm shift for people." From Amazon Web Services to Office 365, there are countless applications that reside in the cloud. Identity protection, security settings, and vendor management are all different to track, and all affect organizational risk.

"We found that many organizations are struggling with what to do once they're in the cloud, and how to secure their cloud tenant," says Trimarc CTO Sean Metcalf. We're seeing a lot of customers are moving to a work-from-anywhere model, and one of the things with that is there's lots of good fundamentals and best practices we want people to be doing correctly."

A common concern among businesses is "I don't know what I don't know," he continues. Many organizations simply don't understand the risks, and they're moving into the cloud unsure of what they're doing. The challenge is compounded for those using Microsoft, Google, and Amazon cloud services, he adds, as security controls are often in different cloud environments.

At this year's Black Hat USA, Morowczynski and Metcalf will discuss threats specific to Microsoft cloud services in their talk, "Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)." The goal, Metcalf says, is to help people understand how to secure Microsoft cloud environments, common mistakes made, and which configurations could make them vulnerable.

"Our approach is very much focused on mitigating real world attacks," Metcalf adds.

One of the threats the duo plan to discuss is password spraying, which Morowczynski says is one of the most common attacks leveraged against Microsoft users. Historically, people have a "predictable pattern" in password reset policies: they change every 30 days and often switch their password to whatever month it is; for example, "July2019!"

Attackers recognize this behavior, he continues, so they keep a list of usernames and test the password against each one. If the system uses a legacy protocol that can't support MFA, the attacker will likely succeed. "Good fundamentals really go a long way in protecting against attacks," he notes, recommending companies abandon legacy authentication in favor of MFA.

Of course, "this isn't a new issue," Metcalf points out. "The on-prem environment password spray is something that's been pretty prevalent. It's just the fact that where the data is, what attackers want to get to, is located in the cloud."

As attackers pivot to the cloud, it's easier for them because the default configuration leaves these services available to the Internet at large, he explains. Organizations want their users to be productive from anywhere; with that access, an intruder could bounce around from a few different IP addresses to attempt to break into an account.

Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says.

The two hope attendees take away a better understanding of security risks inherent to cloud services, how attackers exploit misconfigurations, and where they might be vulnerable. While their content is focused on Microsoft, some attack and defense topics apply to other providers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/22/2019 | 10:08:32 PM
What happened to MS Azure Security Recommendations

"Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says."

Microsoft has a security page that makes recommendations on how to secure the environment in a similar way to AWS. In Azure, they have a "Security Center" section that goes over the things a person needs to secure their environment and it provides guidance on how to enable the compliance aspects related to the site.


Azure Security Center

It seems the biggest problems come from three areas:

  • Having properly trained staff
  • Identify misconfiguration issues found on the "Security Center" page
  • Ensure the compliance aspects are followed per its recommendations

I am curious, there should be a group or a person within the organization to go over the cybersecurity management sections and then perform some Q/A in order to ensure the systems are compliant, if users run Pentesting tools (onsite and/or in the cloud), these tools will tell the user of visible vulnerabilities and provide recommendations.


Just a thought.


Todd
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.