Cybercriminals are increasingly focusing their efforts on exploiting Microsoft identities to infiltrate not only Microsoft applications but also associated SaaS platforms. Their modus operandi doesn’t necessarily involve leveraging vulnerabilities; instead, they manipulate intrinsic Microsoft features to reach their objectives. A case in point is Nobelium, the group associated with the infamous SolarWinds breaches, which has utilized such native capabilities like establishing Federated Trusts [1] to ensure uninterrupted access to a Microsoft tenant.
This piece sheds light on another such intrinsic function which, if manipulated by cybercriminals, could allow sustained access to a Microsoft cloud tenant and also the ability to traverse laterally to a different tenant. By exploiting flawed Cross-Tenant Synchronization (CTS) configurations, assailants can access multiple connected tenants or institute a rogue CTS setup to ensure ongoing presence within a tenant. Vectra AI reports that this particular technique hasn’t been seen in active use, but given the history of exploitation of similar features, the firm wishes to educate defenders on potential indicators of such an attack and how to preemptively monitor its execution. Additionally, this article outlines how Vectra AI users are already shielded against this through their AI-powered alerts and Vectra’s Attack Signal Intelligence™.
Understanding Cross-Tenant Synchronization (CTS)
Microsoft’s CTS is a recent addition that allows entities to sync users and groups from alternative source tenants and then permit them access to resources in the destination tenant. While beneficial for large corporations with various tenants across affiliated firms, it also lays the groundwork for potential exploitation if not correctly configured. Here’s how malicious actors could misuse CTS:
- Lateral Movement: Within a compromised setting, attackers can leverage existing CTS configurations to shift laterally from one tenant to another.
- Backdoor Access: Cybercriminals within a compromised tenant can establish a rogue CTS setup to guarantee continued access.
The Assumption
These exploitation techniques work on the ‘Assumed Compromise’ premise, meaning it starts with the notion that an identity within Microsoft’s cloud ecosystem is already compromised.
Key Terms
- Source Tenant: The origin from which users & groups are synced.
- Target Tenant: Where the users & groups are transferred and resources are located.
- CTS: Abbreviation for ‘Cross Tenant Synchronization’
- CTA: Abbreviation for ‘Cross Tenant Access’
- Compromised Account: The initial point of access for adversaries.
The Mechanism
For a successful attack, certain licenses and elevated privileges are required in the breached tenant. A Global Admin role would have all the required permissions for these actions.
Defensive Measures
It’s vital to follow best practices to minimize the risks. This includes avoiding an all-encompassing inbound CTA configuration and ensuring strict regulation and monitoring of groups with access permissions.
For Vectra Customers
Vectra’s portfolio is equipped to detect these malicious activities. The emphasis on detecting behavioral patterns, rather than relying on known attack signatures, places Vectra in a unique position to identify emerging threats like this one.
Test to Protect
Continuous and effective testing of environments is paramount. The MAAD-Attack Framework is a resourceful open-source tool that amalgamates widely-used attacker techniques, offering security teams a way to simulate them in their ecosystems. It can be found on GitHub and is a valuable asset for ongoing security evaluation.