Responding to Microsoft 365 Attacks

Responding to the December 2020 Solarwinds Supply Chain Attack (“Solarigate”) solidified one of the most pressing security gaps of this new decade: visibility and defense against cloud application attacks. In Solarigate, attackers used the tainted Solarwinds software as an entry vector into servers and pivoted into wider network take-over, but this network take-over was not the goal. The end goal was access to communications and the informational crown jewels of the target. For most organizations today, that isn’t on our on-prem networks anymore; it’s in third party cloud platforms.

When the Solarwinds attackers compromised a network, one of their main goals was to gain access to Microsoft / Office 365, by far the most popular cloud application. A recent report from the WSJ noted that the attackers had access to Solarwind’s Office 365 accounts as early as 9 months prior to discovering the attack and other reports indicated this was a common tactic. With this access they were able to read emails, reset passwords to other services (email password recovery), and monitor whether they had been caught yet. It’s not just email either. A service like Microsoft 365 can now be the holder of all that an organization values (and once put in their on-prem networks): data (OneDrive), Servers (Azure), IT Management (AzureAD), Email (Exchange/Outlook 365) and Endpoint management (intune) can all live in Microsoft’s cloud platform.

How to Attack Office 365

Recent attacks against a cloud service like Office 365 have utilized a number of tactics, most relying on poor security configurations.

1. Inadequete Security Configurations
   • Inadequete security configurations make it much easier to attack the cloud app directly using leaked username/password combos.
   • Examples of common misconfigurations:
     • Not enforcing two-factor authentication
     • Too many administrators
     • Password sync (same passwords used on-prem as on the cloud side)
     • No auditing enabled
   • The Cybersecurity Infrastructure & Security Agency (CISA) reported on several of these here: https://us-cert.cisa.gov/ncas/analysis-reports/AR19-133A
2. Active Directory Federation Services (ADFS)
   • On-prem networks can authorize users access to cloud applications using their on-prem Active Directory service. It does this by issuing SAML tokens to grant single sign-on access.
   • The method used during the Solarigate incident was to compromise the on-prem domain controller and steal the “Golden” SAML token used to grant users access to their cloud apps.
     • Note: The use of this stolen SAML token would trip no alarms on your on-prem network
   • Most important part of this vector is that it starts with an on-prem compromise of a workstation or datacenter server.
3. User Device Compromise
   • A tried a true vector for cloud compromise is to hijack a user device (like their laptop). With this access they can then install keyloggers to steal username/password combos or perform session hijacking attacks while they are logging into their cloud service.
   • Attacks like keylogging can be mitigated with out-of-band two-factor authentication. Reporting these failures can queue defenders to such an attack on a user device.

Infocyte’s Approach to Securing Office 365

Due to demand from our partner, incident responders and security managers, Infocyte recently launched phase 1 of our answer to these attacks. Our Office 365 connector makes it extremely easy to assess, monitor, and mitigate the most pressing Office 365 security misconfigurations.

With the vast number of new security features and APIs available in Microsoft cloud services, it’s become difficult for a typical administrator to handle or prioritize. Infocyte’s role is to leverage these new security APIs to simplify the experiance and make complex Microsoft security capabilities accessible for a broader user base.

Also remember that two of the vectors noted above result from endpoint compromise. Our platform has historically been endpoint focused so we’re able to detect and respond to even the most advanced on-prem compromises whether it’s a server (e.g. a Solarwinds server) or a keyloggers on a user device.

If you’re interested in learning more about Infocyte’s approach to Microsoft 365 security or performing a threat assessment, contact us here.

The post Responding to Microsoft 365 Attacks appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at: https://www.infocyte.com/blog/2021/02/03/responding-to-microsoft-365-attacks/