Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover

Uploaded on 2022-11-21 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

The identity security pioneer, Semperis, has uncovered an abuse of hard matching synchronisation in Azure AD Connect that can lead to Azure AD account takeover. These findings build on the research that Semperis published in August, which described abuse of soft matching (also known as SMTP matching).  
 
This SyncJacking vulnerability means that an attacker with certain privileges can abuse hard matching synchronisation in Azure AD Connect to completely take over any synchronised Azure AD account  - including Active Global Administrator.   
 
These findings were promptly reported to the Microsoft Security Response Center (MSRC), which updated hardening guidelines to provide more specific mitigations against hard matching abuse. While MSRC rapidly responded and updated the hardening guidelines, further testing shows that the attack can succeed even after these mitigations are implemented.

It’s strongly advised to take extra mitigation to combat abuse and potential Azure AD account takeover and it’s important to note why attackers might exploit this method:   

  • The use of hard matching to facilitate Azure AD account takeover leaves no trace in on-prem AD logs and only minimal trace in Azure AD logs.  
  • The attack requires only two permissions on target accounts to completely take over any synchronised account with any role.  
  • An attacker who possesses relatively high permissions in AD can take over Azure AD by taking over any synchronised account with an Active/Eligible assignment.  

Potential Abuses  

User delegation:   If a user or group has been delegated control to manage users in one or more organisational units (OUs) with synchronised and unsynchronised users, then that user or group has full control on these objects and can hijack any of them - theoretically even becoming a Global Administrator.  

Account Operators:   Any user in the Account Operators group can manage all accounts and has account creation privileges. Therefore, any Account Operator can hijack any synchronised users.  

How To Detect A Syncjack Abuse 

You can reasonably (although not definitively) assume that this attack has occurred if two log events occur one after another in Azure AD: “Change User Password” followed by “Update User” with a changed DisplayName and a target that uses the same UPN.   Semperis Directory Services Protector (DSP) collects Azure AD changes and on-premises AD data and uses this data to detect attempts to exploit this vulnerability. Despite the minimal traces left by the attack, DSP’s specific capabilities enable detection.  

Syncjack Hardening Guidelines For Organisations 

MSRC has updated its guidelines to include the following recommendation:   

Disable Hard Match Takeover:   Hard match takeover allows Azure AD Connect to take control of a cloud managed object and changing the source of authority for the object to Active Directory. Once the source of authority of an object is taken over by Azure AD Connect, changes made to the Active Directory object that is linked to the Azure AD object will overwrite the original Azure AD data - including the password hash, if Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud managed objects. To mitigate this risk, disable hard match takeover.  

Semperis’ testing shows that SyncJacking works even after disabling hard match takeover. Regardless, this hardening guideline is important to apply.  

MSRC states that it is important to enable MFA for all users who have privileged access in Azure AD or in AD. Currently, the only way to mitigate this attack is to enforce MFA on all synced users. This isn’t a surefire way to stop an attacker from accessing your account if SyncJacking is abused, but it can help.

Be sure to follow all hardening guidelines provided by Microsoft in the previous link to mitigate many attack surfaces in your hybrid identity environment. For even greater protection, consider implementing DSP for Identity Threat Detection and Response (ITDR).  

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« The Hidden Costs Behind Black Friday Bargains
Shopping Safely Online During Black Friday »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perforce Software

Perforce Software

Perforce helps companies build complex software products more collaboratively, securely, and efficiently.

InformationWeek

InformationWeek

InformationWeek is the world's most trusted online community for business technology professionals like you.

Titus

Titus

Titus is a global leader in enterprise-grade data protection solutions.

IntaForensics

IntaForensics

IntaForensics offer a full range of digital investigation services and are able to adapt to the individual needs of solicitors, private clients, Law Enforcement Agencies and commercial businesses.

Ilex International

Ilex International

Ilex International is a European software vendor which specialises in Identity & Access Management solutions.

DOS

DOS

DOS is an Ecuadorian company with 3 decades of presence in the market and extensive experience in the planning, management and execution of IT Service Integration Projects.

Sysdig

Sysdig

With Sysdig teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance.

ICS Cyber Security Conference

ICS Cyber Security Conference

SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity.

Plexal

Plexal

Plexal is East London's innovation centre and co-working space. We offer startups flexible memberships, giving them access to office space plus all the benefits and support they need to scale.

Angoka

Angoka

Angoka provide hardware-based solutions for managing the cybersecurity risks inherent in machine-to-machine communication networks.

Inetum

Inetum

Inetum (formerly Gfi Informatique) is an agile IT services providing digital services and solutions, and a global group that helps companies and institutions to get the most out of digital flow.

Kodem

Kodem

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

Blockfence

Blockfence

Blockfence are a seasoned crew versed in enterprise-grade cybersecurity and crypto, on a mission to collaboratively shape the future of Web3 security.

ARGOS Cloud Security

ARGOS Cloud Security

ARGOS aims to simplify and strengthen cloud security, by creating a visual map of security vulnerabilities, to your priceless information stored in any cloud provider environment.

Deloitte Denmark

Deloitte Denmark

Swift incident management, worldwide support, and advanced defense strategies ensure comprehensive recovery and enterprise security with our IR service.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.