I recently read through an excellent article by Mandiant, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM. This group appeared on most IT pro’s radar because of their SolarWinds’ software supply chain. You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds’ Orion IT software was “trojanised” via an attack on their software supply chain. Orion is (probably now “was”) used by enterprise customers to monitor their servers, network, etc, so not only was SolarWinds compromised, so too potentially were its customers.
Note NOBELIUM is Microsoft’s assigned name for this advanced persistent threat, but other vendors will use different names.
As I scrolled down the report, in the back of my head I’m thinking things like “XYZ in Defender could have stopped that”, or “wouldn’t have happened if they’d ABC’d in Azure AD”. In this article, I’ll reference Mandiant’s above article, then explain how implementing security capabilities found across the Microsoft 365 E5 license may help mitigate similar threats. In many cases, you don’t even need E5. Check out m365maps.com to see exactly where it falls in the licensing picture and if it’s available to you in something like Microsoft 365 E3 or Business Premium.
This is not a third-party vs. Microsoft security blog. There are pros and cons to all solutions. This is an attempt to help folks paying for Microsoft 365 E5 get their money’s worth by squeezing as much of its offerings out as possible. Details are light on some parts of the report, so those will be reviewed at a high level only. Additionally, there may be simplifications for the sake of brevity. I am available on Twitter @rucam365 for any clarifications you want.
Compromised CSPs and privileged access
“multiple instances where the threat actor compromised service providers and used the privileged access and credentials belonging to these providers to compromise downstream customers”
“The account held a specific Azure AD role that allowed it to use the Admin on Behalf Of (AOBO) feature. With AOBO, users with a specific role in the CSP tenant have Azure Role Based Access Control (RBAC) Owner access to Azure subscriptions in their customer’s tenants”
“… evidence that the actor compromised multiple accounts and used one for the sole purpose of reconnaissance, while the others were reserved for lateral movement within the organization…”
Defence against compromised CSPs and privileged access with Microsoft 365
CSPs, cloud solution providers, in the context of Microsoft 365, are typically license resellers and if set up as delegated administrators, can have global administrative rights to customers’ tenants. As pointed out in the article, and I reference in the quotes below, they can be extremely powerful with Azure owner access to subscriptions. If an Azure VM owner is compromised, and that VM happens to run Active Directory Domain Services, you are trivial steps away from being pwned. Obviously, you can have other service providers beyond the scope of Microsoft or Microsoft 365, managing other services.
- Less of a capability, more of a change in practice. Don’t give your Microsoft CSP delegated admin privileges to the tenant unless you need to. Unfortunately, this includes (for now) Lighthouse. While you can allow them to use their primary email address as an Azure AD guest account with Azure AD B2B, I prefer a full member (not a guest) as you have additional controls such as controlling password policies. Note that ‘granular delegated admin privileges (GDAP)’ are on the roadmap so guidance should change when that becomes available.
- Enforce enhanced requirements on inbound authentication to your tenant using Azure AD Conditional Access with Azure Multi-factor Authentication (MFA) and Identity Protection, to specifically block high-risk users and high-risk sign-ins.
- If your CSP is given access to the tenant (as a full Azure AD member), limit the scope of their rights using RBAC, which is applicable across Azure AD and Azure resources.
- Use Privileged Identity Management (PIM) to enforce conditions and time fences on how long a user can have privileged access. For example, limit their ownership of a resource group in Azure to only X hours, and to get it, enforce MFA and/or approval to another user (guidance here).
- Continually review the access rights for these individuals using Azure AD Identity Governance’s access reviews.
- Don’t give out permissions easily, and monitor and track those that are issued. One approach I use is entitlement management, in which users apply to join a group, and that group gets privileged access. This too can be time-fenced (automatically revoked after a certain period) and subject to access reviews.
- Microsoft Defender for Cloud Apps (MDCA), previously called Microsoft Cloud App Security (MCAS), can audit administrative operations across Microsoft 365, Azure, and even third parties like AWS. You can use this capability to create alerts if any such activities happen by users outside a specified list or group.
Compromised VPNs
“the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment”
Defence against compromised VPNs with Microsoft 365
- This one is light on specifics, but for your client endpoints, you should be moving away from VPNs entirely by considering the following points.
- Replace on-premises Active Directory domain join or Hybrid Azure AD join with pure Azure AD join. In The Case For Azure AD Join, I lay out a manifest of why so many reasons you thought you couldn’t do Azure AD join are not necessarily true.
- Replace on-premises file servers with SharePoint Online and OneDrive for Business. I know, I know… ScarePoint, etc, etc. I get that SPO is not exactly a replacement for file servers, but many (most?) environments can and should make the move. Why? Get rid of that dependency on VPN for network drives, speed up file access for users, and get modern improvements such as auto-save and co-authoring.
- Replace Group Policy and ConfigMgr with Intune MDM. Again, reduce that dependency on VPNs (or Cloud Management Gateways, etc) and get a bunch of other benefits. Not suitable in all cases, but the vast majority. Also not a quick journey: the best practice would be to start from scratch as much as possible.
- Access on-premises applications securely over the internet without a VPN by using Azure AD Application Proxy. Your apps will benefit from Single Sign On with Azure AD accounts, and be protected from the wider internet by pre-authentication using Azure AD. This means you get the benefits of Azure AD such as Conditional Access, DDOS protection, etc, all before any packets touch your app (and even then, only via a connector intermediary replacing your DMZ).
- For your servers infrastructure, VPN isn’t so easy to kill. I’m focusing on Microsoft 365 E5 in this article, but of course, Microsoft and the industry, in general, is heading towards PaaS/SaaS which means less infrastructure for you to manage in general. Don’t misquote me: I’m not saying cloud = security and on-prem/VPN = insecurity. I’m saying, personally, I’d rather keep my need for managing VPNs to a minimum… or get one that supports Azure AD auth.
Malware and low reputation websites
“… some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated. Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or “cracked”, software.”
Defence against malware and low reputation websites with Microsoft 365
Malware protection and web controls are seen as basic stuff, but what can Microsoft 365 E5 offer us?
- Web content filtering, part of network protection, can be used to protect against these types of websites with the likes of legal liability and uncategorized categories.
- While I can’t guarantee it would have picked it up, it is likely Cryptbot would get identified by a number of Microsoft Defender Antivirus and Microsoft Defender for Endpoint capabilities, never mind the standard antivirus signatures/heuristics. These include potentially unwanted app (PUA) protection, block at first sight (BAFS), or an Attack Surface Reduction (ASR) rule like block executable files from running unless they meet a prevalence, age, or trusted list criterion.
- The gold standard of OS security should be application allow-listing. If it’s not allowed explicitly, it doesn’t run. Windows can be secured for this using AppLocker (no longer actively developed) or Windows Defender Application Control.
Anonymous IP access
“These tokens were used by the actor via public VPN providers to authenticate to the target’s Microsoft 365 environment.”
“Mandiant witnessed the actor use a mixture of TOR, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments.”
“Mandiant was then able to identify numerous TOR exit nodes that the threat actor used based on new authentication events.”
Defence against anonymous IP access with Microsoft 365
In the enterprise context, it’s usually safe to block access from things like Tor and known VPN providers. I understand that a lot of modern security talk wants to move away from caring about locations, IP based controls, etc, but in my opinion, it should still be used as part of defence-in-depth, especially if you can reasonably say your user base will only be connecting from a known list of regions.
- Conditional Access can be used to block access from IPs located outwith specified countries. Create a policy that blocks all locations except those in your named list of allowed ones. You can also choose how to determine the location: by IP (v4 only) or GPS (requires the Microsoft Authenticator app but doesn’t work with passwordless if you’re using that).
- Azure AD Identity Protection has a real-time detection capability for anonymous IP addresses, which Microsoft explicitly describe as “for example, Tor browser or anonymous VPN“. Identity Protection policies can be configured standalone or (recommended) included as Conditional Access conditions.
- There are offline sign-in risk Identity Protection detections (as opposed to real-time) for malicious IP addresses and activity from anonymous IP addresses. Although these could not prevent a login, they will raise logs for you to audit, with about a 48-hour delay.
- Microsoft Defender for Cloud Apps has anomaly detection capabilities that can be used to warn you about suspicious behaviour across integrated apps. You can also use proactive governance to revoke access from services like Tor.
MFA Push Notifications
“… the threat actor had a valid username and password combination. Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication…”
Defence against falsely approved MFA with Microsoft 365
I’m in the camp of “push notifications are better than no MFA at all”. But at the same time, if you’re doing something, do it right. Hammering someone with MFA requests until they submit – yikes.
- In the MFA service settings, you can disable phone call, SMS, and/or app push notification MFA.
- There are improvements to MFA push notifications on the way. You will be shown the location and app, for example. Additionally – most importantly – you won’t just get a approve/disapprove. You will have to perform number matching to the code shown on the screen which should mitigate against accidental approvals, approvals-by-spam-request, or automated apps for approval (they exist and they’re insane).
- Conditional Access can require device compliance for access, which means in addition to compromising the credentials (and the MFA), you have to compromise the device. Where this gets more powerful is you can base the device compliance on attributes like the device health in Defender for Endpoint and it’s unlikely a remotely compromised device will have a ‘clear’ state (but not impossible). Even more, you can use custom compliance to confirm that your own device requirements are met: certain services are running, system hardening policies in place, etc. Lastly on this point, you can use Conditional Access device filters to limit access to privileged services to privileged access workstations, etc.
- MFA only kicks in if the username and password are correct. Azure AD Identity Protection can mark users as high risk if their credentials have been leaked on paste bins, dark websites, etc. Note this only applies to newly discovered leaks and not retrospectively when enabled (really wish it did). It also needs Password Hash Sync for hybrid users. After your user has been marked as high-risk, you can use Conditional Access to force a password reset after they’ve MFA’d to prove it’s really them. This can write back to on-premises Active Directory if it’s a hybrid user. Alternatively, use Conditional Access to block high-risk users then, as an administrator, have your own process to investigate + remediate.
LSASS and ntds.dit dumps
“On one device, the threat actors made use of the Windows Task Manager to dump the process memory belonging to LSASS…. There was also evidence that the threat actor used Sysinternals ProcDump to dump the process memory of the LSASS process.”
“Mandiant identified multiple attempts by the threat actor to dump the Active Directory database (ntds.dit) using the built-in ntdsutil.exe command.”
Defence against LSASS and ntds.dit dumps with Microsoft 365
Let’s have a look at how Microsoft 365 Defender services can be used in this scenario.
- Microsoft Defender for Endpoint (MDI) can alert administrators about exfiltration scenarios involving ntds.dit, with the likes of the data exfiltration over SMB alert. You could also use Advanced Hunting custom detections to be informed about process events that involve it, ntdsutil, or other processes like AzCopy, etc.
- Windows Defender Credential Guard is a capability that uses VBS to isolate and harden secrets against compromise.
- Attack Surface Reduction rules (ASR rules) can run on Windows Server 2012 R2 and newer. The rule block credential stealing from the Windows local security authority subsystem will help LSASS dumps in scenarios that Credential Guard cannot be used. If a process tries to use OpenProcess() for LSASS with the access right PROCESS_VM_READ, it is blocked.
Azure AD Connect compromise
“The threat actor also obtained the Azure AD Connect configuration, the associated AD service account, and the key material used to encrypt the service account credentials.”
Defence against Azure AD Connect compromise with Microsoft 365
Don’t have the full details here but let’s review Azure AD Connect and securing it in general. Why is AADC important? It’s what syncs on-prem AD to Azure AD, so is significant for lateral movement. Lateral movement aside, the connector account also gets a bunch of permissions to the directory and control over users, groups, and passwords.
- Give the AADC server the same respect in regards to security as a domain controller: treat it as a tier 0/ asset, with controls around only privileged access workstations getting access, what other apps can run (allow listing), outbound network access, etc.
- You no longer need the Global Admin role to manage Azure AD Connect: use least privilege and stick with Hybrid Identity Administrator.
- Keep Azure and Azure AD privileged access accounts (admins) as cloud-only accounts and do not synchronise your on-premises administrators (e.g. Domain Admin) to Azure AD.
Active Directory Federation Services (AD FS) attacks
“… the threat actor obtained the Active Directory Federation Services (ADFS) signing certificate and key material. This allowed the threat actor to forge a SAML token which could be used to bypass 2FA and conditional access policies to access Microsoft 365.”
“Mandiant discovered that the threat actor had stolen the AD FS token signing certificate and the DKM key material. This would allow the threat actor to perform Golden SAML attacks and authenticate as any user into federated environments that used AD FS for authentication, such as Microsoft 365.”
Defence against AD FS SAML token forging with Microsoft 365
Generally, when I see AD FS, I run in terror. Here goes…
- Replace AD FS with Azure AD. I know, I know, easier said than done, especially at scale. But as an IdP, Azure AD has a ton of benefits like Conditional Access (referenced heavily in this article), no/less infrastructure to manage, etc.
- Microsoft Defender for Identity (MDI) now supports AD FS. You will be alerted for attacks such as remote code execution attempts, and suspected brute-force LDAP attacks.
- Azure AD Identity Protection can identify and assign sign-in risk (for auditing/action) if the SAML token issuer for a token is potentially compromised due to anomalies or similarities with attack patterns.
Lateral movement and privilege escalation
“The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell… mainly to perform reconnaissance… distribute BEACON around the network…”
“In some cases, the actors passed in a specific Kerberos ticket during the WMIC execution using the /authority:Kerberos flag to authenticate as computer accounts.”
“the threat actor used Azure’s built-in Run Command feature to execute commands on numerous downstream devices. The threat actor used native Windows tools to perform initial reconnaissance, credential theft and deploy Cobalt Strike BEACON to devices via PowerShell.”
“The actor then used this BEACON implant to persistently install CEELOADER as a Scheduled Task that ran on login as SYSTEM on specific systems.”
Defence against lateral movement and privilege escalation with Microsoft 365
Again, we return to Microsoft 365 Defender to review some threat protection capabilities for this.
- Microsoft Defender for Identity (MDI) can be deployed to domain controllers to alert administrators in Microsoft 365 Defender if it identifies several activites of this type, including pass-the-ticket, reconnaissance, and credential theft.
- Attack Surface Reduction rules (ASR rules) can be deployed to block process creations originating from PSExec and WMI commands. This is unavailable for obvious reasons if you use ConfigMgr, and best start using it in audit mode in case anything else in your environment is dependent on PSExec/WMI.
- Microsoft Defender for Endpoint can detect Cobalt Strike… even if it’s not there 😉 (I say “can detect”… nothing is 100% guaranteed in this cat/mouse game).
- Microsoft Defender for Endpoint will also automatically investigate anomalous new scheduled task creation.
Unauthorised data access and exfiltration
“The threat actors performed data theft through several PowerShell commands, uploading several sequential archive files ending with the .7z extension. The threat actor uploaded these files to a webserver they presumably controlled.”
“Mandiant identified binaries that were configured to upload data to the Mega cloud storage provider. The threat actor deployed the tool in the %TEMP%\d folder as mt.exe and mtt.exe. “
“Mandiant also observed the threat actor access a victim’s on-premises SharePoint server looking for sensitive technical documentation and credentials. The threat actor then used the gathered credentials to move laterally around the network.”
“From this documentation, the actor was able to identify a route to gain access to their ultimate target’s network.”
Defence against unauthorised data access and exfiltration with Microsoft 365
There are a few ways to approach this. We need to consider that the upload operations to attacker-controlled servers and Mega.com were probably on servers, which have different Microsoft 365 capabilities than Windows 10 clients. We also need to consider everything I’m about to list as part of defence-in-depth and no silver bullet.
- Sensitive information can be encrypted by Azure Information Protection using sensitivity labels in SharePoint Online (SPO). If you are using on-prem SharePoint Server, start the migration to SPO. The encryption essentially enforces an access control list and access can be audited. The encryption can be handled manually by users (you can force it) or you can automatically encrypt (label) using a number of methods, which include automatically detecting network/IT information such as IP addresses or Azure access keys. That said, don’t store your credentials in documentation anyway.
- On endpoint clients, Endpoint DLP or Windows Information Protection can be used to limit data uploads to allow listed apps and websites only.
- Microsoft Defender for Endpoint identifies data transfers to the Mega.com Desktop App (which I assume is the tool referenced above) as a potential attack technique (MITRE T1005) in Microsoft 365 Defender. Also you should use application allow listing.
- Microsoft Defender for Cloud Apps can both block access to Mega.com or other file sharing websites as an unsanctioned app and alert administrators about the level of data transfer to it, achieved via integration with Microsoft Defender for Endpoint and its network protection capabilities.
- You can use Advanced Hunting in Microsoft Defender for Endpoint to monitor activities related to archive file formats and PowerShell commands that can transfer data (link references downloads, can be altered for upload commands etc too).
Unauthorised Exchange mailbox access
“Mandiant witnessed the threat actor use impersonation to access multiple mailboxes belonging to users within the victim organization.”
“The threat actor also created a new account within the Microsoft 365 environment which Mandiant deems was for backup access in the event of detection.”
Defence against unauthorised Exchange mailbox access
If delegating access to mailbox permissions, you should have an established process for this and monitor any delegations that deviate from the process.
- Microsoft Defender for Cloud Apps can be used to investigate and automatically respond if mailbox delegation is performed. Tweek the activity properties so that they deviate from your standard process in this case.
- The unified audit log can inform administrators if mailbox delegation is performed. There are lots of other activities you can manage in this log too, such as other permissions granted.
- You can finally review mailbox items an account has accessed with MailItemsAccessed, but beware this is a bit of a strange action to configure (it’s part of Advanced Audit).
Concluding thoughts
There are no silver bullets against sophisticated, dedicated attackers. Similarly, there are no perfect security solutions or software services. However, in this article, I’ve tried to explain that if you are a Microsoft 365 customer already, you probably have a lot of tools in your arsenal to mitigate a lot of potential threats or at least generate enough noise that you can start investigating.