Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/22/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Cybercriminals Break into the Microsoft Cloud

Microsoft and Trimarc researchers explore the most common attacks against the cloud and effective defenses and mitigation.

Even companies that previously said "no" to cloud are migrating their services and resources to cloud-based infrastructure. As they do, many are concerned about maintaining the cloud's rapid update pace and how the new paradigm exposes them to new types of security threats.

Moving to the cloud is one challenge. Knowing how to secure it afterward is another.

"One of the things I recognize, and certainly see for myself, is keeping up with changes at cloud scale is challenging, to say the least," says Mark Morowczynski, principal program manager at Microsoft. "Organizations go from 'never cloud,' to 'maybe cloud,' to 'cloud is an important business component,' and many are trying to figure out how to determine that risk."

It's a challenge from an administrative and operations perspective, he continues, adding that "ultimately the cloud is a huge paradigm shift for people." From Amazon Web Services to Office 365, there are countless applications that reside in the cloud. Identity protection, security settings, and vendor management are all different to track, and all affect organizational risk.

"We found that many organizations are struggling with what to do once they're in the cloud, and how to secure their cloud tenant," says Trimarc CTO Sean Metcalf. We're seeing a lot of customers are moving to a work-from-anywhere model, and one of the things with that is there's lots of good fundamentals and best practices we want people to be doing correctly."

A common concern among businesses is "I don't know what I don't know," he continues. Many organizations simply don't understand the risks, and they're moving into the cloud unsure of what they're doing. The challenge is compounded for those using Microsoft, Google, and Amazon cloud services, he adds, as security controls are often in different cloud environments.

At this year's Black Hat USA, Morowczynski and Metcalf will discuss threats specific to Microsoft cloud services in their talk, "Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)." The goal, Metcalf says, is to help people understand how to secure Microsoft cloud environments, common mistakes made, and which configurations could make them vulnerable.

"Our approach is very much focused on mitigating real world attacks," Metcalf adds.

One of the threats the duo plan to discuss is password spraying, which Morowczynski says is one of the most common attacks leveraged against Microsoft users. Historically, people have a "predictable pattern" in password reset policies: they change every 30 days and often switch their password to whatever month it is; for example, "July2019!"

Attackers recognize this behavior, he continues, so they keep a list of usernames and test the password against each one. If the system uses a legacy protocol that can't support MFA, the attacker will likely succeed. "Good fundamentals really go a long way in protecting against attacks," he notes, recommending companies abandon legacy authentication in favor of MFA.

Of course, "this isn't a new issue," Metcalf points out. "The on-prem environment password spray is something that's been pretty prevalent. It's just the fact that where the data is, what attackers want to get to, is located in the cloud."

As attackers pivot to the cloud, it's easier for them because the default configuration leaves these services available to the Internet at large, he explains. Organizations want their users to be productive from anywhere; with that access, an intruder could bounce around from a few different IP addresses to attempt to break into an account.

Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says.

The two hope attendees take away a better understanding of security risks inherent to cloud services, how attackers exploit misconfigurations, and where they might be vulnerable. While their content is focused on Microsoft, some attack and defense topics apply to other providers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/22/2019 | 10:08:32 PM
What happened to MS Azure Security Recommendations

"Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. "That's an extension of how bad an attack like that can be," he says."

Microsoft has a security page that makes recommendations on how to secure the environment in a similar way to AWS. In Azure, they have a "Security Center" section that goes over the things a person needs to secure their environment and it provides guidance on how to enable the compliance aspects related to the site.


Azure Security Center

It seems the biggest problems come from three areas:

  • Having properly trained staff
  • Identify misconfiguration issues found on the "Security Center" page
  • Ensure the compliance aspects are followed per its recommendations

I am curious, there should be a group or a person within the organization to go over the cybersecurity management sections and then perform some Q/A in order to ensure the systems are compliant, if users run Pentesting tools (onsite and/or in the cloud), these tools will tell the user of visible vulnerabilities and provide recommendations.


Just a thought.


Todd
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15129
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_n...
CVE-2019-15130
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parame...
CVE-2019-15135
PUBLISHED: 2019-08-18
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability informa...
CVE-2019-15136
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15137
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.