Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover

Uploaded on 2022-11-21 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

The identity security pioneer, Semperis, has uncovered an abuse of hard matching synchronisation in Azure AD Connect that can lead to Azure AD account takeover. These findings build on the research that Semperis published in August, which described abuse of soft matching (also known as SMTP matching).  
 
This SyncJacking vulnerability means that an attacker with certain privileges can abuse hard matching synchronisation in Azure AD Connect to completely take over any synchronised Azure AD account  - including Active Global Administrator.   
 
These findings were promptly reported to the Microsoft Security Response Center (MSRC), which updated hardening guidelines to provide more specific mitigations against hard matching abuse. While MSRC rapidly responded and updated the hardening guidelines, further testing shows that the attack can succeed even after these mitigations are implemented.

It’s strongly advised to take extra mitigation to combat abuse and potential Azure AD account takeover and it’s important to note why attackers might exploit this method:   

  • The use of hard matching to facilitate Azure AD account takeover leaves no trace in on-prem AD logs and only minimal trace in Azure AD logs.  
  • The attack requires only two permissions on target accounts to completely take over any synchronised account with any role.  
  • An attacker who possesses relatively high permissions in AD can take over Azure AD by taking over any synchronised account with an Active/Eligible assignment.  

Potential Abuses  

User delegation:   If a user or group has been delegated control to manage users in one or more organisational units (OUs) with synchronised and unsynchronised users, then that user or group has full control on these objects and can hijack any of them - theoretically even becoming a Global Administrator.  

Account Operators:   Any user in the Account Operators group can manage all accounts and has account creation privileges. Therefore, any Account Operator can hijack any synchronised users.  

How To Detect A Syncjack Abuse 

You can reasonably (although not definitively) assume that this attack has occurred if two log events occur one after another in Azure AD: “Change User Password” followed by “Update User” with a changed DisplayName and a target that uses the same UPN.   Semperis Directory Services Protector (DSP) collects Azure AD changes and on-premises AD data and uses this data to detect attempts to exploit this vulnerability. Despite the minimal traces left by the attack, DSP’s specific capabilities enable detection.  

Syncjack Hardening Guidelines For Organisations 

MSRC has updated its guidelines to include the following recommendation:   

Disable Hard Match Takeover:   Hard match takeover allows Azure AD Connect to take control of a cloud managed object and changing the source of authority for the object to Active Directory. Once the source of authority of an object is taken over by Azure AD Connect, changes made to the Active Directory object that is linked to the Azure AD object will overwrite the original Azure AD data - including the password hash, if Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud managed objects. To mitigate this risk, disable hard match takeover.  

Semperis’ testing shows that SyncJacking works even after disabling hard match takeover. Regardless, this hardening guideline is important to apply.  

MSRC states that it is important to enable MFA for all users who have privileged access in Azure AD or in AD. Currently, the only way to mitigate this attack is to enforce MFA on all synced users. This isn’t a surefire way to stop an attacker from accessing your account if SyncJacking is abused, but it can help.

Be sure to follow all hardening guidelines provided by Microsoft in the previous link to mitigate many attack surfaces in your hybrid identity environment. For even greater protection, consider implementing DSP for Identity Threat Detection and Response (ITDR).  

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« The Hidden Costs Behind Black Friday Bargains
Shopping Safely Online During Black Friday »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Netskope

Netskope

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

A-SIT Secure Information Technology Center

A-SIT Secure Information Technology Center

A-SIT was founded in 1999 as a registered nonprofit association and is established as a competence center for IT-Security.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

Custodio Technologies

Custodio Technologies

Custodio Technologies was established as a Singaporean R&D Centre of Israel Aerospace Industries (IAI) in order to spearhead R&D activities in the field of cyber early warning.

CyberSure

CyberSure

CyberSure is a programme of collaborations and exchanges between researchers aimed at developing a framework for creating and managing cyber insurance policy for cyber systems.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Intercast Global

Intercast Global

Intercast's mission is to be a strategic resource to our clients in Risk Reduction. We are a global leader in cyber security staffing and consulting to the enterprise.

CyberSN

CyberSN

CyberSN is your essential partner in cybersecurity workforce risk management offering solutions that empower leaders to diversify, acquire, retain, and develop their cybersecurity teams.

TAG Cyber

TAG Cyber

TAG Cyber's mission is to provide world-class cyber security research, advisory, and consulting services to enterprise security teams around the world.

01 Communique Laboratory

01 Communique Laboratory

01 Communique Laboratory is an innovation leader in the new realm of Post-Quantum Cyber Security.

InfoSystems Inc

InfoSystems Inc

InfoSystems provides reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations.

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries is America’s largest military shipbuilding company and a provider of professional services to partners in government and industry.

National Academy of Cyber Security (NACS) - India

National Academy of Cyber Security (NACS) - India

National Academy of Cyber Security provides Professional Training Courses and Programmes in Cyber Security.

Island

Island

Island puts the enterprise in complete control of the browser, delivering a level of governance, visibility, and productivity that simply weren’t possible before.

Crygma

Crygma

CRYGMA Quantum-Resistant Cryptographic Machines, the new standard in data encryption.

Emantra

Emantra

Emantra specialises in the enablement of Secure Cloud services through it’s comprehensive Sovereign Cloud Hosting, Secure Access Service Edge, and managed services.