The cybersecurity firm Varonis has discovered that an attacker can use a compromised on-premises IT environment to pivot and attack an organization’s Azure environment.
Using a compromised PC as a stepping stone to move across a network to hack other targets is a tactic that cybercriminals frequently employ and security researcher at Varonis, Eric Saraga found that it was possible to manipulate an on-premises server known as an Azure agent to establish a backdoor and obtain user credentials from the cloud.
Saraga developed a proof-of-concept attack that exploits Azure’s pass-through authentication which installs an Azure agent on-premises that authenticates synced users from the cloud. This enabled him to create a form of ‘skeleton key’ password on an Azure agent.
Using this skeleton key, an attacker could escalate privileges to global admin to gain access to an organization’s on-premises environment. This would allow the attacker to extract usernames and passwords from a company’s Azure environment.
Thankfully Saraga’s exploit can be blocked by using multi-factor authentication to secure a company’s Azure accounts as well as by actively monitoring its Azure agent servers.
This attack would also be difficult for cybercriminals to pull off as they would first need to hack into a corporate network.
Another thing worth noting is the fact that this is an exploit as opposed to a vulnerability so Microsoft won’t be issuing a patch to fix it.
“This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering. For this issue, the attacker needs to compromise the machine first before they can take over the service.”
Since a patch isn’t being developed, Saraga says that organizations should lock down their Azure environments by using multi-factor authentication to prevent falling victim to any potential attacks that leverage this exploit.