In today’s rapidly changing technological climate, many organizations have already embraced and deployed hybrid environments within their infrastructures. Organizations that have not yet adopted these environments are catching up quickly, as a hybrid approach helps to increase efficiency, reduce costs, and improve scalability.

One of the features that forms an integral part of a hybrid environment is Azure AD, which is an Azure cloud feature that provides a solution for identity management in the Azure cloud — much like on-premises Active Directory.

Now, several attack vectors for Azure AD Connect have been discovered in a lab environment, that show how threat actors can create an undetectable backdoor by stealing hashes and observing and receiving Connector accounts’ cleartext credentials.

Cyber researchers from Sygnia have disclosed their discovery of techniques that cyberattackers can use to hook the default-enabled Password Hash Sync (PHS) functions to steal NT hashes of domain accounts on demand, as well as leverage Active Directory Certificate Services (ADCS) to perform SSL inspection via man-in-the-middle (MITM) attacks.

Concept proved: mitigations required

These new attack methods are unique because they allow threat actors to maintain persistence within an organization’s network without being blocked or detected.

For example, attackers can leverage the extraction of NT hashes to ensure they receive every future password change in the domain. Threat actors can also use ADCS to obtain AAD Connector passwords, as well as serve as a MITM and launch attacks against SSL-encrypted channels in the network by exploiting misconfigurations in certificate templates that have Server Authentication.

For mitigation, it is highly recommended to restrict access to certificate templates that allow server authentication, and monitor the enrollment of templates to ensure that they are not requested for an external URL (e.g., http://login.microsoftonline.com). In addition, monitor the certificate store on the Azure AD Connect server to ensure that it contains only trusted Root CAs.

Finally, organizations should treat and classify the Azure AD Connect as a Tier 0 server according to Microsoft’s best practices for the Microsoft Enterprise Access Model. Additionally, to ensure robust security, consider adopting the following guidelines:

  • Network restrictions: Use this to restrict network access to the server reducing its attack surface. Additionally, monitor inbound and outbound traffic for potential MITM attacks, such as DNS-based attacks and ARP poisoning.
  • Privileged Access Management: This can enforce secure administrative access to the AD Connect server. In addition, monitor the server for abnormal activities that include suspicious authentication attempts.

Endpoint Detection and Response: Ensure that EPP solution is deployed on the server to detect and respond to common threats, and specifically the following activities:
    – Hosts file tempering to modify the resolution for http://login.microsoftonline.com domain
    – Malicious PowerShell usage including AADInternals