Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/22/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Cybercriminals Break into the Microsoft Cloud

Microsoft and Trimarc researchers explore the most common attacks against the cloud and effective defenses and mitigation.

Even companies that previously said "no" to cloud are migrating their services and resources to cloud-based infrastructure. As they do, many are concerned about maintaining the cloud's rapid update pace and how the new paradigm exposes them to new types of security threats.

Moving to the cloud is one challenge. Knowing how to secure it afterward is another.

"One of the things I recognize, and certainly see for myself, is keeping up with changes at cloud scale is challenging, to say the least," says Mark Morowczynski, principal program manager at Microsoft. "Organizations go from 'never cloud,' to 'maybe cloud,' to 'cloud is an important business component,' and many are trying to figure out how to determine that risk."

It's a challenge from an administrative and operations perspective, he continues, adding that "ultimately the cloud is a huge paradigm shift for people." From Amazon Web Services to Office 365, there are countless applications that reside in the cloud. Identity protection, security settings, and vendor management are all different to track, and all affect organizational risk.

"We found that many organizations are struggling with what to do once they're in the cloud, and how to secure their cloud tenant," says Trimarc CTO Sean Metcalf. We're seeing a lot of customers are moving to a work-from-anywhere model, and one of the things with that is there's lots of good fundamentals and best practices we want people to be doing correctly."

A common concern among businesses is "I don't know what I don't know," he continues. Many organizations simply don't understand the risks, and they're moving into the cloud unsure of what they're doing. The challenge is compounded for those using Microsoft, Google, and Amazon cloud services, he adds, as security controls are often in different cloud environments.

At this year's Black Hat USA, Morowczynski and Metcalf will discuss threats specific to Microsoft cloud services in their talk, "Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)." The goal, Metcalf says, is to help people understand how to secure Microsoft cloud environments, common mistakes made, and which configurations could make them vulnerable.

"Our approach is very much focused on mitigating real world attacks," Metcalf adds.

One of the threats the duo plan to discuss is password spraying, which Morowczynski says is one of the most common attacks leveraged against Microsoft users. Historically, people have a "predictable pattern" in password reset policies: they change every 30 days and often switch their password to whatever month it is; for example, "July2019!"

Attackers recognize this behavior, he continues, so they keep a list of usernames and test the password against each one. If the system uses a legacy protocol that can't support MFA, the attacker will likely succeed. "Good fundamentals really go a long way in protecting against attacks," he notes, recommending companies abandon legacy authentication in favor of MFA.

Of course, "this isn't a new issue," Metcalf points out. "The on-prem environment password spray is something that's been pretty prevalent. It's just the fact that where the data is, what attackers want to get to, is located in the cloud."

As attackers pivot to the cloud, it's easier for them because the default configuration leaves these services available to the Internet at large, he explains. Organizations want their users to be productive from anywhere; with that access, an intruder could bounce around from a few different IP addresses to attempt to break into an account.

Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says.

The two hope attendees take away a better understanding of security risks inherent to cloud services, how attackers exploit misconfigurations, and where they might be vulnerable. While their content is focused on Microsoft, some attack and defense topics apply to other providers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/22/2019 | 10:08:32 PM
What happened to MS Azure Security Recommendations

"Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says."

Microsoft has a security page that makes recommendations on how to secure the environment in a similar way to AWS. In Azure, they have a "Security Center" section that goes over the things a person needs to secure their environment and it provides guidance on how to enable the compliance aspects related to the site.


Azure Security Center

It seems the biggest problems come from three areas:

  • Having properly trained staff
  • Identify misconfiguration issues found on the "Security Center" page
  • Ensure the compliance aspects are followed per its recommendations

I am curious, there should be a group or a person within the organization to go over the cybersecurity management sections and then perform some Q/A in order to ensure the systems are compliant, if users run Pentesting tools (onsite and/or in the cloud), these tools will tell the user of visible vulnerabilities and provide recommendations.


Just a thought.


Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...