Researchers found that threat actors could attack a new Microsoft cloud authentication protocol to steal or forge cloud tickets and carry out lateral movement in cloud-based Azure AD Kerberos.
In a Jan. 24 blog post, Silverfort researchers posted mitigations and explained that the new attacks derive from Silver Ticket and Pass The Ticket (PTT) being well-known on-prem Kerberos attacks used to perform lateral movement in Active Directory. As part of its migration to the cloud, Microsoft made Azure AD Kerberos available to authenticate access to cloud resources without having to use the on-prem AD version.
The Silverfort team developed two variants of Silver Ticket and PTT that work for Azure AD Kerberos, named Bounce the Ticket and Silver Iodide. The researchers said the new attacks expose hosted infrastructure such as servers and storage to malicious access.
Dor Segal, senior security researcher at Silverfort, said the team disclosed its research to Microsoft prior to publication to make them aware of the issue. Segal said because Microsoft does not consider this a traditional vulnerability it does not intend to fix the issues highlighted.
A Microsoft spokesperson added that this technique is not a vulnerability and that a potential attacker would need elevated or administrative rights that grant access to the storage account data to be used successfully.
“Microsoft recommends that customers regularly review their role definitions that include listkeys permissions, and enable software that prevents attackers from stealing credentials, such as Credential Guard, said the spokesperson.
Segal also explained that identity attacks often rely on abusing the underlying mechanism by which authentication protocols work, rather than exploiting weak code and fixing such protocols is often not the case of simply pushing out a patch. For this reason, Segal said they are not classified in the same manner as software vulnerabilities.
“Abuse of the legacy on-prem Kerberos authentication flow is commonplace for threat actors — APT29 used it in lateral movement, for example,” said Segal. “Aware of this, we realized attackers may well be checking whether these techniques now apply to Azure AD Kerberos, so we set out to help the security community better understand whether this was possible.”
Weak ticket encryption and dumping credentials from memory has proliferated the success of cyberattacks to the point where it’s become a staple in hacking Windows domains, said Davis McCarthy, principal security researcher at Valtix. McCarthy said with a few modifications to existing tools, Azure AD is just as susceptible to known TTPs as on-premise installations.
“Simply migrating an application to the cloud does not make it more secure, it usually just scales resources and improves availability,” explained McCarthy. “If the underlying architecture of the application is not secure, the attack surface shifts, but ultimately stays the same. This idea is reflected in the research because the mitigations to secure Kerberos are to reduce its attack surface and improve visibility into functions of its protocol."
Silverfort’s Segal noted that when Azure AD Kerberos was released in preview more than a year ago, his team started to research the new implementation and as part of that research developed two mitigations.
Silverfort recommends that security teams:
- Review and monitor for any changes to Azure Access Control and the share’s access control permissions to validate that only authorized users have permissions for the Microsoft.ClassicStorage/storageAccounts/listKeys/action — the Kerberos key extraction operation.
- To avoid the Bounce the Ticket attack, reduce the number of computers allowed to host cloud Ticket Granting Tickets (TGTs) to the minimum required. Admins can do that by restricting the “Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon” group policy to security groups that use Azure AD Kerberos.