Hybrid IT opens new avenues for cybercriminals

Hybrid computing environments, created by blending on-premise and cloud-based systems, have become standard fare within many organisations. They offer key benefits such as scalability, flexibility and cost containment.

Unfortunately, with the race to the cloud they are also proving something of a boon for cybercriminals. Hybrid infrastructures can offer a wider attack surface providing more potential points of entry through which attackers can gain access to applications and data.

At the heart of these attacks against hybrid environments are compromised identities. They may have been obtained via a phishing campaign, online credential breach or simply because default or commonly known credentials were available.

Often these credentials can allow a cybercriminal to log directly into a cloud account or service bypassing the need to compromise an endpoint or gain access to your corporate network. From there, an attacker will look for ways to access data and pivot into other systems. All the business advantages of the cloud such as speed, scale and global availability suddenly become a major risk if an identity is compromised. The more privileges and entitlements that identity has on the cloud systems the greater the risk to the organisation.

Not everything starts with the cloud — in other instances cybercriminals have started on-prem and then been able to pivot into the cloud. This type of attack is particularly devastating because all an organisation’s infrastructure, on-prem and cloud, can be taken out in one fell swoop.

The example of Mango Sandstorm

The security challenge posed by hybrid IT was highlighted recently by the Nation State Threat Actors known to the security community as Mercury or Mango Sandstorm. The group is allegedly linked to Iran’s Ministry of Intelligence and Security (MOIS) commonly targeting organisations located in or doing business with Middle Eastern countries.

Mango Sandstorm use a variety of tactics to gain initial access to targeted infrastructures. These include targeted spear-phishing campaigns and exploiting vulnerabilities on internet-exposed servers. Once they have gained an initial foothold, the attackers’ first order of business is to secure local administrative rights on the endpoint so they can use tools such as Mimikatz to dump credentials that can then be used to move laterally within the network.

In a recent attack, the Mango Sandstorm cybercriminals used privileged account credentials to move laterally on-prem and target a system hosting the Azure AD Connect agent. Azure AD Connect is a common tool that helps organisations manage hybrid identities by synchronising on-premise Active Directory (AD) with Azure AD. Because of this function it requires accounts and credentials to access both on-prem Active Directory and Azure Active Directory.

Unfortunately, in many case the accounts used are significantly over-privileged due to older versions of the software requiring the highly privileged “Global Administrator” role in Azure. With access to local administrator privileges the attackers could use AADInternals, an off-the-shelf tool, to capture the plain text credentials of highly privileged cloud accounts, allowing them to pivot from on-prem to the cloud.

Once in Azure they will target existing legitimate O-Auth applications by adding their own credentials that then allow them to issue access tokens and authenticate on behalf of the legitimate application, allowing them to call APIs and access cloud resources from a highly privileged account.

Abusing Azure applications is popular with cybercriminals because it provides an attractive way to maintain password-less persistence and access privilege within Azure. These were the same types of tactics used in the SolarWinds supply chain attack.

At this point the attackers have gained widespread privilege and access to all the on-prem and cloud infrastructure and were able to compromise mailboxes, destroy cloud infrastructure and finally deploy a ransomware payload on-prem. This widespread destruction is very difficult to recover from and could all be traced back to a common vulnerability in a public-facing server and over-privileged accounts.

Defending against hybrid attacks

Thankfully, there are some best-practice steps that organisations can take to increase their ability to ward off hybrid IT attacks. They include:

Monitor and protect identities and privileges

With the number of hybrid attacks on the rise, it is more important than ever for security teams to understand where identities, accounts and privileges exist across their organisation. Threat actors think in graphs and will pivot through on-prem and cloud infrastructures any way they can. Over-privileged and under-protected accounts offer them an easy path.

Identity is effectively the new perimeter for cyber attacks. By compromising an identity, attackers can gain access to a range of accounts, systems and applications. This is why the discipline of identity threat detection and response (ITDR) has emerged.

ITDR combines the worlds of identity access management (IAM) and security to better prevent and mitigate identity-based attacks. The more visibility and understanding a security team has of the accounts, privileges and access associated with identities across on-prem and cloud systems, the better positioned they will be to proactively protect them.

Create a strong least privilege foundation

In the case of Mango Sandstorm, the cybercriminals were able to access several privileged accounts on-prem that allowed them to then move laterally. By using endpoint privilege management tools, a security team can remove the need for users to be logging in with local administrative privileges that could be misused by an attacker to dump credentials and disable endpoint security.

Privileged password management tools can be used to discover, manage and protect privileged accounts. These can provide just-in-time access with a high level of control and auditing to prevent attackers from easily gaining access to accounts.

In general bringing privileged accounts under management, taking a least privilege approach and patching are among the most robust defences — mitigating many common attack techniques and greatly reducing an organisation’s attack surface.

Control execution

In a number of recent attacks, cybercriminals were found to deploy off-the-shelf remote access tools. As these tools are not in themselves malicious, they are less likely to be detected by AV or EDR solutions. Combining application control with privilege management provides a powerful way to reduce an attacker’s ability to deploy tools and access privileges. This limits the ease with which they can execute, persist and move laterally.

Defending against sophisticated nation state threat actors such as Mango Sandstorm can feel like a daunting task. This is particularly the case when the infrastructure comprises a hybrid mix of on-prem and cloud resources which may span multiple teams in your organisation.

Fortunately, there are lessons from the past we can draw on — the principle of least privilege is just as relevant now in modern hybrid environments as it was when the Department of Defence wrote about it in the 1980s.

Discovering, managing and reducing privileged accounts and access is vital. With many different accounts and systems forming hybrid IT having tools that provide visibility into all the identities, accounts and privileges within the infrastructure makes securing them easier. In short, you need to get a hold of your identity security and understand your risks before a threat actor does.

Image credit: iStock.com/HYWARDS