Kerberos- the name is a widely used one in day-to-day life of the IT world. It is a protocol used to authenticate users and devices via symmetric key cryptography and a key distribution center; it serves as a heart of SSO. This authentication is a standard security measure for many enterprises, attackers have frequently tried to compromise or bypass the authentication servers using identity attacks that spoof legitimate users.
Attackers in on-premises general uses a pair of common identity attacks are the Pass the Ticket and Silver Ticket approaches, for stealing credentials and authenticate with enterprise services. Both attack techniques are dubbed as the Bounce the Ticket and Silver Iodide threat in cloud
The issues can impact anyone using the new Azure AD Kerberos protocol. Though it’s still in initial stages of adoption, as with anything released by Microsoft, the scale of usage will increase. In the past, this type of lateral movement was an issue affecting the on-premises enterprise network and break the perimeter
Microsoft added Kerberos functionality to its Azure Active Directory service last August, and attackers are known to attack. Kerberos is a frequent target of attackers, who often go after tickets — i.e., encrypted authentication credentials or tokens, used by the Kerberos protocol as proof that a client or device has authenticated to the server.
- The first attack, dubbed as Bounce the Ticket attack, in which an attacker who has compromised one user’s system and who steals a Kerberos ticket from the machine’s memory can then then use the secret key to gain access to cloud workloads. This attack bears similarities to the on-premises Pass the Ticket attack on Kerberos authentication services and gives the attack the ability to access cloud-based resources that rely on Azure AD Kerberos.
- The second attack, dubbed as Silver Iodide attack, in which an attacker who gains access to one user’s Azure AD account can connect to a specific service. The technique, which resembles the Silver Ticket attack against on-premises Kerberos servers, could be used against other cloud services as well, if attackers can find ways around specific controls.
An attacker with these attack techniques who has compromised either a system on the network or an Azure AD account could recover Kerberos tickets and reuse those secrets to extend access to other infrastructure.
This issue was disclosed to Microsoft, and it is aware of the weaknesses, it does not plan to fix them, because they are not traditional vulnerabilities. Microsoft also confirmed that it is not considering them as a vulnerability. This technique is not a vulnerability, and to be used successfully a potential attacker would need elevated or administrative rights that grant access to the storage account data. It is recommended that the customers regularly review their role definitions that include ‘listkeys’ permissions, and enable software that prevents attackers from stealing credentials, such as Credential Guard.
Re-engineering the Kerberos protocol would be an apt solution to get rid of these two issues, and that is unlikely. Reducing the number of systems authorized to hold some of the more critical cloud-based credentials such as the Ticket-Granting Ticket (TGT) will harden an enterprise’s infrastructure to Bounce the Ticket attacks.
This research was documented by researchers from Silvercraft.
