Lateral movement techniques have been a critical component of traditional network compromises for years, allowing ransomware groups to reach domain controllers and deploy their crippling and highly disrupting attacks, cyberespionage groups to achieve persistence and gain access to systems holding sensitive intellectual property, and cybercrime groups to hop into sensitive network segments to reach ATMs and other finance systems. With accelerated deployment of hybrid networks that combine on-premise and cloud infrastructure, attackers are looking for new tactics to achieve lateral movement in these new environments.
One of these techniques was recently devised and documented by researchers from security firm Vectra AI and involves abusing an Azure Active Directory (AD) feature called cross-tenant synchronization (CTS) that allows organizations to synchronize users and groups across different Azure AD instances for those users to gain access to Microsoft and non-Microsoft applications linked to different tenants.
This is a useful feature for multinational corporations or business conglomerates where their local branches or different businesses might be operating in different Azure AD tenants but some of their users need access to applications or resources from a different branch or sister company.
“This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured cross-tenant synchronization configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant,” the Vectra AI researchers said in their new report. “We have not observed the use of this technique in the wild but given the historical abuse of similar functionality, we present details for defenders to understand how the attack would present and how to monitor for its execution.”
Abuse of trust relationships and weak Azure AD configurations
Cross-tenant synchronization works by allowing a source tenant to sync users into a target tenant. This is done via push requests from the source tenant and based on configured cross-tenant access (CTA) policies in both tenants.
For example, to be able to sync users the source tenant needs to have an outbound access policy to the target tenant and the target tenant needs to have an inbound access policy that allows the synching of users from the source tenant. A source tenant can also have an inbound cross-tenant access policy and be itself a target for synced users from another tenant, creating a web of cross-tenant synchronization links.
As with all lateral movement techniques, the abuse of CTS implies an assumed compromise of privileged credentials inside a tenant. For an attack to work, both the source and target tenant need to have Azure AD Premium P1 or P2 licenses for CTS to be available. The attacker needs to have access to an account with security administrator role to configure cross-tenant access policies, a hybrid identity administrator role to change cross-tenant synchronization configuration, or a cloud admin or application admin role to assign new users to an existing CTS configuration. So, depending on the existing cross-tenant access policies and CTS configuration in a tenant, as well as the privileges obtained by the attacker, there are different ways in which this can be abused for lateral movement or persistence.
In Vectra AI’s proof-of-concept attack, it is assumed that the tenant already has cross-tenant access policies configured to other tenants. First, the attacker would use the admin command shell to list all tenants with which the current tenant has access policies with. Then they would proceed to review each of the policies to identify a tenant for which an outbound policy exists. This means the current tenant is configured to sync users into that target tenant.
The next step would be to locate the ID of the application running inside the compromised tenant that is responsible for performing the synchronization so its configuration could be modified. The Vectra researchers created and published a PowerShell script that automates the entire process.
“There is no straightforward way to find the CTS sync application linked to the target tenant,” the researchers said. “The attacker can enumerate through service principals in the tenant attempting to validate credentials with the target tenant to ultimately find the application that hosts the sync job to the target tenant. It can be done through a simple module like this.”
After identifying the sync application, the attacker can add the compromised account they already have credentials for to the sync scope or can review the application’s sync scope, which, for example, could indicate that all users from a particular group are being synchronized into the target tenant. They could then try to directly or indirectly add their compromised user to that group.
In addition to using a compromised tenant as a source for lateral movement, CTS can also be used as a backdoor to maintain persistence to a compromised tenant. For example, the attacker could create an inbound cross-tenant access policy into the victim tenant to allow an external tenant under their control to sync users into it. They could then enable the “automatic user consent” option as well so the synced user doesn’t get prompted for consent.
The result would be the attacker being able to sync new users from their external tenant into the victim tenant at any time in the future to access resources even if they lose access to the initial account they compromised.
How to defend against cross-tenant synchronization compromise
Since this technique assumes an existing compromised account, organizations should enforce strong security practices and monitoring for accounts, especially those with administrative privileges. Tenants that have CTS enabled should avoid inbound cross-tenant access policies that allow for all users, groups, or applications from a source tenant to be synchronized.
“Deploy less inclusive inbound CTA configuration such as explicitly defining accounts (if possible) or groups that can get access through CTS,” the Vectra AI researchers said. “Combine CTA policy with additional conditional access policies to prevent unauthorized access.”
Active Directory, Azure Functions, Cloud Security, Network Security