The US Cybersecurity and Infrastructure Security Agency (CISA) pushed out a free toolkit on Christmas Day designed to boost Azure security, or identify “unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment.”
CISA said: “The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors”.
(Azure has been abused by the sophisticated state-sponsored hackers behind the recent cyber-espionage campaign against federal government organisations and other targets, the NSA has warned).
Dubbed Sparrow.ps1, its GitHub repo shows it “checks and installs the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory”.
The release comes two days after security firm CrowdStrike warned that Microsoft Azure’s own administrative tools are inadequate for those wanting to review permissions across Active Directory environments.
The endpoint protection specialist hit out at a lack of clear documentation, an inability to audit via API, and warning that “auditing Azure AD permissions… is a time-consuming and complex process” as it pushed out a free community tool intended to help review permissions.
Microsoft caught up in reaction to SUNBURST campaign
Microsoft has found itself deeply embroiled in the recent sweeping SolarWinds/SUNBURST attacks on federal government agencies and other targets, after the apparently state-sponsored group behind the campaign used a range of techniques to abuse Azure — including via exfiltrated SAML token signing certificates that allow them to forge tokens and access any resources trusted by those certificates, with Microsoft saying that it has seen these forged tokens used to access Azure.
(As everyone from Microsoft the NSA has been keen to emphasise, this implies the attackers had already gained the highest level of privileges inside the network and used them to establish long-term access to the target network. The attackers are believed to have used a wide range of tools and vulnerability exploits in the attacks, including CVE-2020-4006, a command injection vulnerability in five VMware products, has been used by the attackers to deploy a webshell on target systems).
CrowdStrike: Yeah but Azure security audits are a headache
CrowdStrike hit out at Azure AD admin controls after being notified by Microsoft that hackers tried and failed to hack CrowdStrike through a Microsoft reseller’s Azure account: “Specifically, they identified a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period” some months ago.
CrowdStrike’s notice comes as the fallout from arguably the largest, most far-reaching cyber-espionage effort caught to-date continues — “CrowdStrike does not have any attribution and does not know of any connection to SUNBURST”, it emphasised of the attempt, however, adding tartly that the attackers had tried to read email, but “as part of our secure IT architecture, CrowdStrike does not use Office 365 email.”
Azure AD permissions: “Try this…”
CrowdStrike has now released a new “CrowdStrike Reporting Tool for Azure” (CRT), a free community tool to help organisations “quickly and easily review excessive permissions in their Azure AD environments, help determine configuration weaknesses, and… mitigate risk.”
CrowdStrike said: “We experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them. We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”
The Stack has contacted Microsoft for comment.
CrowdStrike recommends reviewing tenant configurations and applying a sweeping range of hardening measures to Azure, including through aggressive review of “trust relationships” with partners.
It also recommends that users:
Store SAML token signing certificate key material in a Hardware Security Module (HSM) so that the signing key cannot be stolen. Alternatively, rotate SAML signing certificates periodically.Store SAML token signing certificate key material in a Hardware Security Module (HSM) so that the signing key cannot be stolen. Alternatively, rotate SAML signing certificates periodically.
Ensure only required on-premises AD Organizational Units (OUs) and objects are being synced to the cloud. Use extreme caution when establishing bi-directional trust and syncing privileged identities, service accounts, or OUs between on-premise and cloud.
Review access controls to the Azure administrator portal, using least privilege access principles and review the environment for overly privileged service accounts that may have access to on-prem environments as well as Azure and reduce privileges and access if possible… Ensure that only dedicated cloud-only administrator accounts are used for cloud administration; and enforce multi-factor authentication for all users, with MFA access policy set to “Do not allow users to create app passwords to sign in to non-browser apps” to prevent bypassing MFA.
On-premise systems should also be hardened: “Privileged users, roles and organizational units should be synced between cloud and on-premises or self-managed directories with extreme caution”, CrowdStrike warns.” Cloud admin roles must rely on cloud-only authentication and not authenticate with SAML SSO, just as admin roles for on-premises / self managed must not be authenticated through cloud services.”