Cybercriminals Are Moving into the Cloud and Making Your Active Directory Their New Home

Key Points:

• Sophisticated threat actors including Octo Tempest (AKA Scattered Spider) and Storm-0501 are increasingly compromising Microsoft Entra ID environments to plant a foothold into their victim organizations’ infrastructure. 
• Malicious paths to initial Entra ID intrusion include compromise of Microsoft Entra Connect Sync accounts in hybrid environments, session hijacking of cloud user accounts, and social engineering.
• Attackers “move-in” to your environment and maintain persistence through abuse of Cross-Tenant Synchronization or by attaching a new Federated domain under their control.
• Once Microsoft Cloud environments are compromised, cybercriminals can exfiltrate sensitive company data and/or deploy ransomware for extortion. 

Introduction 

Financially motivated cybercriminals are increasingly targeting Cloud environments in their ransomware and/or extortion attacks. The attack activity of two (2) threat groups in particular – Octo Tempest (AKA Scattered Spider) and Storm-0501 – provides insights into weaknesses they exploit to gain initial access, to pivot from on-premise to Cloud environments, and to escalate privileges to maximize their impact on victim organizations. 

Scattered Spider has been active since at least early 2022 and was responsible for high-profile attacks in the past few years, including those against MGM Casinos and Okta.¹ Storm-0501 has been active as early as 2021 and has most recently been observed using Embargo ransomware in their attacks.² Both groups have expanded their tactics to target Cloud-based identities for either initial access or to expand their foothold in the victim organization, exfiltrating sensitive data and creating backdoors for themselves in the process. By creating a backdoor in the Cloud, attackers can maintain persistence even after defenders have been made aware of their presence.  

Knocking on Doors and Breaking Glass

There are various pathways attackers can take to initially compromise an element of a network, and that path will differ depending on whether you are targeted intentionally or opportunistically. The most common forms of initial access are vulnerability exploitation and social engineering. Scattered Spider is perhaps most notorious for their social engineering prowess, tricking well-meaning IT personnel into granting privileged access to systems, crafting deceptive SMS-phishing (smishing) messages, and performing SIM-swapping to bypass MFA.³ Attackers can also gain initial access by exploiting network vulnerabilities. Microsoft recently reported on a Storm-0501 campaign that exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and the ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203).⁴ 

Once initial access is achieved, the attackers have crossed your threshold and will immediately start looking for ways to increase privileges to expand access, either via your on-premises network or an already compromised Cloud account. If they are not yet in your Entra ID environment, they will use tools such as ADRecon and PingCastle to gather detailed information about your Active Directory.⁵ To transition from an on-premise compromise to the Cloud, they can exploit Microsoft Entra Connect Sync accounts or hijack the Cloud account of an already compromised on-premises account. Entra Connect is an on-premises Microsoft application that syncs passwords between on-prem AD and Entra ID. In a recent Storm-0501 campaign, the threat actor located a victim’s Microsoft Entra Connect servers and extracted the credentials of the two (2) service accounts critical to syncing passwords between the environments⁴. Once these sync accounts are compromised, attackers can change the Entra ID passwords of any hybrid account, thus granting them access to your Cloud environment. 

Changing Your Locks and Inviting Their Friends In

Attackers have been using creative ways to maintain persistence once they have compromised Entra ID environments. They can create backdoors into your AD home by creating a new federated domain in the tenant or abusing Cross-tenant Synchronization (CTS). 

Cross-tenant Synchronization is a feature of Entra ID that allows for synchronization across tenants, allowing organizations to effectively manage users and groups across different tenants. When abused, attackers can link their own attacker-controlled tenant to a victim’s tenant. The attacker must first gain access to an account in the victim tenant with privileges to allow a new inbound synchronization.³ Once set up, the attacker can provision new accounts in the victim tenant for persistence. If the victim organization already has synchronization set up with other tenants, the attackers would of course then have access to any other legitimately linked tenants as well, allowing them to move laterally. 

Both Scattered Spider and Storm-0501 have been observed creating new federated domains in the victim Entra ID tenant to establish backdoors into environments. A federated domain in Entra ID is configured to use federation technologies (AD FS) to authenticate users. Even if your Entra ID domain is managed (and not federated), attackers can switch it to a federated one. Then, they create a federation trust between the victim tenant and their own malicious domain. From there, attackers use an open-source tool called AADinternals which is a PowerShell module designed for penetration testers. Attackers use AADinternals to create Security Assertion Markup Language (SAML, SAML2) tokens also known as “Golden Tokens”.⁴ These Golden Tokens allow the attacker to impersonate any user in the organization and authenticate into applications while bypassing Multi-factor Authentication (MFA), effectively giving them unfettered access to the Entra ID kingdom.  

Source: Microsoft ⁴

Looting and Extortion

The primary goal of these attacks is to extract the most money from victims via ransomware and extortion. Organizations are increasingly storing sensitive information in the Cloud, information that attackers know you would pay for to remain secret, making them lucrative targets. Threat actors can deploy ransomware in the Cloud, encrypting files and demanding payment for the decryption key. Depending on the attacker’s motivation and attack vector, they may compromise both on-premise and Cloud environments, potentially doubling their negative impact on critical business processes. 

Keeping Your Active Directory Safe

The National Security Agency (NSA) recently released a Cybersecurity Technical Report (CTR) on detecting and mitigating Active Directory compromises jointly with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC) and other agencies.⁶ The report details many different attacks against Active Directory, including those mentioned in this article, and highlights detection and mitigation strategies.⁷

The cybersecurity tools and technology space has seen a year-long trend that focuses solutions on securing “Identities” and protecting against Identity-based attacks. The trend has become more prevalent as organizations shift towards mainly Cloud-based operations, while, in response, cybercriminals are similarly shifting their tactics to compromising Cloud environments. 

Ankura Recommendations

Consider implementing the following to help protect against and detect Active Directory (AD) attacks: 

1. Do some spring cleaning with an AD Assessment
   1. Understanding your own Active Directory configuration is an important first step. Perform an Active Directory assessment to uncover stale accounts, unintended permission sets, and routes for privilege escalation. This exercise will ensure you know who your privileged users are so you can move on to step 2.
2. Install deadbolts by securing privileged access
   1. There are different AD models to help secure privileged access. For more information and key principles behind securing privileged access, we recommend reviewing the recently released joint report from the NSA⁷.
3. Limit access through Conditional Access Policies 
   1. Conditional Access policies in Entra ID are evaluated and enforced every time a user attempts to sign in. Policies such as device compliance and trusted IP address requirements limit who can log into accounts. 
4. Get a security recording system by logging security events 
   1. Ankura recommends logging and centralizing Windows events and O365/Entra ID audit logs. Beyond just recording security events, ensure you have detection rules in place for various attacks and security personnel available 24/7/365 to evaluate and escalate true positive detections.

Conclusion

Cybercriminals are starting to leverage Cloud environments to both gain initial access and increase their impact during attacks. A key component of compromise for many organizations is the Active Directory environment, which can be leveraged by attackers to escalate privileges and move laterally throughout the environment. Whether or not your organization uses on-premises, hybrid, or Cloud Active Directory, there are many avenues attackers can take to exploit and gain access to your systems. Organizations should consider following our recommendations above to help protect against these more novel procedures for long-standing tactics and techniques for identity compromise. If you would like to learn more about what your organization should do or how Ankura could help, please contact us. 

^{1. https://www.theregister.com/2023/09/15/scattered_spider_snares_100_victims/}

^{2. https://www.bleepingcomputer.com/news/security/embargo-ransomware-escalates-attacks-to-cloud-environments/}

^{3. https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries}

^{4. https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/}

^{5. https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/}

^{6. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3917556/nsa-jointly-releases-guidance-for-mitigating-active-directory-compromises/}

^{7. https://media.defense.gov/2024/Sep/25/2003553985/-1/-1/0/CTR-DETECTING-AND-MITIGATING-AD-COMPROMISES.PDF}

^{© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}