Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover

The identity security pioneer, Semperis, has uncovered an abuse of hard matching synchronisation in Azure AD Connect that can lead to Azure AD account takeover. These findings build on the research that Semperis published in August, which described abuse of soft matching (also known as SMTP matching).  
 
This SyncJacking vulnerability means that an attacker with certain privileges can abuse hard matching synchronisation in Azure AD Connect to completely take over any synchronised Azure AD account  - including Active Global Administrator.   
 
These findings were promptly reported to the Microsoft Security Response Center (MSRC), which updated hardening guidelines to provide more specific mitigations against hard matching abuse. While MSRC rapidly responded and updated the hardening guidelines, further testing shows that the attack can succeed even after these mitigations are implemented.

It’s strongly advised to take extra mitigation to combat abuse and potential Azure AD account takeover and it’s important to note why attackers might exploit this method:   

  • The use of hard matching to facilitate Azure AD account takeover leaves no trace in on-prem AD logs and only minimal trace in Azure AD logs.  
  • The attack requires only two permissions on target accounts to completely take over any synchronised account with any role.  
  • An attacker who possesses relatively high permissions in AD can take over Azure AD by taking over any synchronised account with an Active/Eligible assignment.  

Potential Abuses  

User delegation:   If a user or group has been delegated control to manage users in one or more organisational units (OUs) with synchronised and unsynchronised users, then that user or group has full control on these objects and can hijack any of them - theoretically even becoming a Global Administrator.  

Account Operators:   Any user in the Account Operators group can manage all accounts and has account creation privileges. Therefore, any Account Operator can hijack any synchronised users.  

How To Detect A Syncjack Abuse 

You can reasonably (although not definitively) assume that this attack has occurred if two log events occur one after another in Azure AD: “Change User Password” followed by “Update User” with a changed DisplayName and a target that uses the same UPN.   Semperis Directory Services Protector (DSP) collects Azure AD changes and on-premises AD data and uses this data to detect attempts to exploit this vulnerability. Despite the minimal traces left by the attack, DSP’s specific capabilities enable detection.  

Syncjack Hardening Guidelines For Organisations 

MSRC has updated its guidelines to include the following recommendation:   

Disable Hard Match Takeover:   Hard match takeover allows Azure AD Connect to take control of a cloud managed object and changing the source of authority for the object to Active Directory. Once the source of authority of an object is taken over by Azure AD Connect, changes made to the Active Directory object that is linked to the Azure AD object will overwrite the original Azure AD data - including the password hash, if Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud managed objects. To mitigate this risk, disable hard match takeover.  

Semperis’ testing shows that SyncJacking works even after disabling hard match takeover. Regardless, this hardening guideline is important to apply.  

MSRC states that it is important to enable MFA for all users who have privileged access in Azure AD or in AD. Currently, the only way to mitigate this attack is to enforce MFA on all synced users. This isn’t a surefire way to stop an attacker from accessing your account if SyncJacking is abused, but it can help.

Be sure to follow all hardening guidelines provided by Microsoft in the previous link to mitigate many attack surfaces in your hybrid identity environment. For even greater protection, consider implementing DSP for Identity Threat Detection and Response (ITDR).  

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« The Hidden Costs Behind Black Friday Bargains
Shopping Safely Online During Black Friday »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

DataLocker

DataLocker

DataLocker offers both hardware based external storage and software based cloud storage encryption solutions.

File Centre

File Centre

File Centre is a leading specialist when it comes to data backup, we offer our clients a premium backup retrieval and delivery solution.

Cryptshare

Cryptshare

Cryptshare is a communication solution that enables you to share e-mails and files of any size securely.

OXO Cybersecurity Lab

OXO Cybersecurity Lab

OXO Cybersecurity Lab is the first dedicated cybersecurity incubator in the Central & Eastern Europe region.

BrandProtections.Online

BrandProtections.Online

BrandProtections.online offer end-to-end customer support solutions to help protect against threats which may affect your brand online.

Angoka

Angoka

Angoka provide hardware-based solutions for managing the cybersecurity risks inherent in machine-to-machine communication networks.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Q6 Cyber

Q6 Cyber

Q6 Cyber is an innovative threat intelligence company collecting targeted and actionable threat intelligence related to cyber attacks, fraud activity, and existing data breaches.

Wontok

Wontok

Wontok deliver innovative value-added data security services that fill the gaps left in traditional security solutions.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

Nexon Asia Pacific

Nexon Asia Pacific

Nexon solutions include cloud infrastructure and services, unified communications, managed security services, business continuity, secured high-performance network and business applications.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

Oxford Internet Institute - University of Oxford

Oxford Internet Institute - University of Oxford

The Oxford Internet Institute is a multidisciplinary research and teaching department of the University of Oxford, dedicated to the social science of the Internet.

nandin Innovation Centre

nandin Innovation Centre

nandin is ANSTO’s Innovation Centre (Australian Nuclear Science and Technology Organisation) where science and technology entrepreneurs, startups and graduates come together.

EasySec Solutions

EasySec Solutions

EasySec Solutions provides a cyber-security platform, based on a combination of the zero trust model and the software-defined security management.