Cloud techniques observed
Microsoft's report details a wide range of cloud-related techniques used by Octo Tempest after the initial user account compromise. These techniques are not new, in that security researchers are aware of them, have documented them, and are actively used in pen-testing engagements. However, this is the first threat actor that appears to be using a wide range of these cloud-specific techniques as part of their normal operations
So which techniques are we talking about, and where have we seen them before?
This article won't go into technical details on each, but the following list contains notable details from the report:
- TA assigns themselves user access administrator on the tenant root group in Azure. Note that this requires that the TA already escalated privileges to Global Admin or Azure RBAC Owner on the tenant root group
- TA deploys new VMs as back doors into the network and utilizes the serial console to interact with internal resources
- TA is observed looking for data in several cloud storage services. Presumably, they give themselves access using their privileged role.
- TA is observed abusing data factory to create new data collection pipelines and exfiltrate data to an SFTP server they control
- TA is observed adding MFA methods to user accounts
- TA is observed leveraging Azure Container Instances to create a tunnel without a public endpoint
- TA abuses federation from Entra ID and Okta using several techniques, including Golden SAML or by federating new domains
- TA replays stolen tokens with MFA claims that have already been satisfied
- TA enrolls their own devices into device management software to bypass restrictions
- TA modifies Conditional access policies
- TA scans code repositories for secrets that may be abused for privilege escalation or other use
- TA uses VM extensions to reset passwords on Virtual Machines
- TA creates snapshots of virtual domain controller disks to extract NTDS.dit
- TA modifies access policies on credential stores (presumably Azure Key Vault) to gain access to credentials
Most of these techniques have been known for years in the security community, but aren’t often observed in Threat Actor activity. The volume of techniques used indicates that this Threat Actor operates directly against resources in the cloud environment itself, and isn’t just abusing open-source tooling or opportunistically interacting with cloud services when it is required.
Why its important?
For many, this just seems like a sophisticated threat actor with some new techniques. So why is it that we see this report as ground-breaking?
Threat actors catching up
The report details a threat actor with extensive knowledge of how cloud services can be configured into a cloud platform. This knowledge allows them to understand the attacks that are possible in a cloud environment, and the primitives available to them for abuse. Until now, most public cloud security incidents have been related to rather simple misconfigurations, such as public buckets and metadata service abuse, or have been related to user account compromise via techniques such as password spraying, brute forcing, and phishing. However, this appears to be changing; this report proves that threat actors are using the more modern and sophisticated attack primitives found and described by researchers in more recent years. With an expanding toolkit and new techniques, the threat actors specializing in cloud compromise will be an ever-increasing risk to organizations as more workloads are moved to the cloud.
More research to stay ahead
To our knowledge, there have been no public reports of threat actors using attack primitives that haven’t been previously responsibly disclosed by security researchers. This underpins the importance of offensive research to enable a pragmatic and holistic approach to securing cloud workloads. It also highlights the need for defenders to be aware of this offensive research and utilize it to place defensive controls in place before the attackers begin to abuse modern cloud techniques. By expanding what we know about possible attacks, we enable many important processes such as threat modeling, detection engineering and cloud security control design. This expansion on “unknown knowns” improves the cloud security landscape and increases the cost for attackers as we can design environments that are resilient to all possible attacks.
Expansion of “known knowns“
Observing these techniques in use by active threat actors highlights how the cloud threat landscape is changing. O3 Cyber predicts that other threat actors will adopt and mimic the successful application of cloud attacks to bolster their toolkit. For defenders, this means that implementing controls and detections for the observed techniques is paramount to address this changing landscape.
As defenders learn to combat these issues, cloud security control frameworks that are in development must also be updated to include changes or additions to design principles, architecture approaches and new controls. This will ensure that as a security community, we learn to mitigate the most recently observed and discovered attack techniques by both researchers and threat actors. Reliance on old frameworks that are not adapted to the new threat landscape can prove costly.
One notable observation O3 Cyber made about this threat actor’s activity is the technical implications of the compromises described in the report, and the post-compromise activities that are available to the threat actor that are not being used. What does the threat actor actually have access to, and what can they do in the scenarios described?
Given that the Octo Tempest is observed giving itself User Access Administrator on the tenant root group of Azure tenants, there is a strong implication in the report that they gain Global Administrator within the tenants they are targeting. The only ways to assign yourself User Access Administrator are if 1) you have the Owner role on the tenant root group, 2) you have compromised an Entra ID Service Principal with the RoleManagement.ReadWrite.Directory privilege, or 3) if you are a Global Administrator and you enable the “give yourself access to Azure resources” toggle. Of the three, the most likely scenario is that the TA escalates to Global Administrator.
With these permissions, there isn’t much that the threat actor cant do. Beyond being able to exfiltrate data for extortion and encrypt systems and data for ransomware, this access gives them administrative access to the entire Microsoft Online ecosystem, and the ability to delete or modify infrastructure, accounts, email, and SaaS configurations programmatically via the APIs.
What can you do?
With these latest developments, organizations that utilize the public cloud should take into consideration the latest offensive research when designing their environment. Threat actors are skilled at defense evasion and manipulating security controls, so defenders must assume that some of our controls will fail as new techniques are discovered, and constantly re-evaluate our threat model when we design and architect cloud platforms.
A good starting point as a CISO or Security Architect reading the MIR & MIT report is to test or assess whether you would be resilient to the attacks described in the report, and other threat actors using modern primitives and deep knowledge of the cloud. This cannot be done with tools and techniques we are used to from on-premise attacks, but with specialized cloud tradecraft.
For an organization that heavily uses cloud infrastructure, this needs to be an iterative process - ensure that there is dedicated time and responsibility for staying up to date on modern offensive cloud research, and understanding how that impacts the organization’s cloud environment.
Finally, defenders should update their threat models and cloud security controls framework to ensure that they account for and withstand offensive techniques such as those observed in report.