Search

ContraForce Releases Security Updates to XDR Platform for Azure and Microsoft 365 Environments




In recent light of the hack into the SolarWinds network management software, a compromise has been suspected to have affected a Microsoft reseller. According to CrowdStrike, hackers attempted to gain a foothold into the security vendor’s environment through Microsoft cloud APIs specifically focused on Microsoft Office licenses, managed by a Microsoft Reseller.

Though these attacks were deemed unsuccessful against CrowdStrike, it has raised an urgent necessity for Microsoft, their partners, and customers to respond with the necessary due diligence in order to ensure proper security for customers utilizing Azure and Microsoft administrative tools.


Alongside our industry partners and the security community, we’ve been made aware of the latest compromise on Microsoft Azure and Office 365. ContraForce continues to investigate the extent of this recent attack – and our goal is to provide the latest threat intelligence, Indicators of Compromise (IOCs), and guidance across our solution to help you, and to ensure your organization is prepared.


Be Proactive and Respond Quickly with ContraForce

On December 24th, 2020 the US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) released a new free tool, Sparrow.ps1, to help incident response teams detect compromised accounts and applications in Microsoft 365 and Azure environments. This effort follows the recent reports that hackers have been exploiting Microsoft 365 to compromise commercial and government networks.

Sparrow.ps1 can be found here: GitHub - cisagov/Sparrow: Sparrow.ps1


ContraForce and our team of security experts are here to assist you with ensuring your Microsoft 365 and Azure environments haven’t been compromised and impacted by these vulnerabilities. Or, if they have been comprised, to put the proper security controls in place to better protect your environments.


For further assistance, reach us directly at info@contraforce.com.


Additional Recommendations

Below are additional recommendations from our ContraForce Task Force (CTF) comprised of seasoned security experts and incident responder which detail further countermeasures for increasing your security posture and mitigating recommendations to minimize your attack surface.


Centralized Logging

Centralized logging and accurate correlation against recent IOCs released from the SUNBURST campaign for unified threat correlation and detection with such solutions as ContraForce XDR.


Leveraging threat intelligence sources to gather IOCs related to SUNBURST, high fidelity signals are brought to the surface through the ContraForce XDR platform for your security analysts and incident response team in order to carry out further detailed investigations and map a comprehensive response plan.


Mitigate and minimize your attack surface with ContraForce’s Policy Engine that determines specific detection rules and playbooks that map according to your risk posture in your Azure and M365 environment. As additional tactics, techniques, and procedures (TTPs) are mapped by MITRE ATT&CK, ContraForce will closely monitor and manage these techniques and map them accordingly to the customer’s Azure and M365 environment to ensure proactive security measures.


Recommended Logging

ContraForce XDR provides native logging for the following recommended log sources. If a current SIEM is implemented in your environment, these sources are recommended to be enabled by our security engineering team in order to ensure full visibility on related activity associated with SUNBURST.

  • Unified Audit Log

  • Azure Activity Logs

  • Azure Service Logs

  • Azure NSF Flow Logs

  • Azure AD Logs:

  • Azure AD Audit Logs

  • Azure AD Sign-in Logs

  • Azure AD Managed Identity Sign-In Logs (Preview)

  • Azure AD Non-Interactive User Sign-In Logs (Preview)

  • Azure AD Service Principal Sign-In Logs (Preview)

  • Azure AD Provisioning Logs

  • Azure AD Risky Sign-In Events


Configuration Review and Hardening Measures

ContraForce recommends reviewing tenant configurations and applying the hardening measures below as applicable


Mitigating Forged SAML Tokens

According to a recent blog post by Microsoft, understanding the anomalies and IOCs related to SUNBURST have been narrowed to two patterns.

  1. Anomalies in SAML tokens being presented for access.

  2. Anomalies in Microsoft 365 API access patterns in a tenant.

These anomalies can directly impact environments running Microsoft 365 cloud, and those who use these services and product can be directly impacted. Thus, further sharing of this information is necessary to ensure proper detection mechanisms are in place, prevention controls, and remediation capabilities.


For SAML federation relationships where Azure AD has been configured to trust a tenant-configured SAML token signing certificate from a customer-configured federation server, the federation server is the Identity Provider (IDP) and Azure AD is the Service Provider (SP).


Those IDP or SP should look for the following regarding SAML token anomalies:

  • SAML Tokens received by the SP with configurations which deviate from the IDP’s configured behavior.

  • SAML Tokens received by the SP without corresponding issuing logs at the IDP.

  • SAML Tokens received by the SP with MFA claims but without corresponding MFA activity logs at the IDP.

  • SAML Tokens which are received from IP addresses, agents, times, or for services which are anomalous for the requesting identity represented in the token.

  • Evidence of unauthorized administrative activity.

  • What can be done:

  • Determine mechanism of certificate exfiltration and remediate

  • Roll all SAML token signing certificates

  • Consider reducing your reliance on-prem SAML trust where possible

  • Consider using an HSM to manage your SAML Token Signing Certificates


Illegitimate Registrations of SAML Trust Relationships

Look for the following:

  • Anomalous administrative session associated with modification of federation trust relationships.

What can be done:

  • Review all federation trust relationships; ensure all are valid.

  • Determine mechanism of administrative account impersonation.

  • Roll administrative account credentials.


Adding Credentials to Existing Applications

Look for the following:

  • Anomalous administrative session associated with modification of federation trust relationships.

  • Unexpected service principals added to privileged roles in cloud environments.

What can be done:

  • Review all applications and service principals for credential modification activity.

  • Review all applications and service principals for excess permissions.

  • Remove all inactive service principals from your environment.

  • Regularly roll creds for all applications and service principals.


Queries Impersonating Existing Applications:

Look for the following:

  • Anomalous requests to your resources from trusted applications or service principals.

  • Requests from service principals that added or modified groups, users, applications, service principals, or trust relationships.

What can be done:

  • Review all federation trust relationships, ensure all are valid.

  • Determine mechanism of administrative account impersonation (see below).

  • Roll administrative account credentials.


Authentication

The following checks against authentication controls and policies should be established.

  • Enforce multi-factor authentication (MFA) for all users.

  • Check for new unknown MFA registrations and restrict service accounts from MFA registration.

  • Set the multi-factor authentication access policy to “Do not allow users to create app passwords to sign in to non-browser apps” to prevent bypassing MFA.

  • Review and enforce Conditional Access Policies:

  • Utilize geo-fencing and/or trusted locations.

  • Enforce modern authentication and blocking of legacy authentication.

  • Block “risky sign-ins” with medium severity and above.

  • Monitor authentication requests from unknown identity providers.

  • Monitor for credentials being added to service principals.

  • Ensure Self Service Password Reset (SSPR) requests are enabled to notify users when their passwords are changed.


Exchange

  • Review mailbox forwarding rules and remove unauthorized rules, including:

  • Tenant-wide mail flow rules

  • Individual mailboxes

  • Review mailbox delegations and remove unnecessary delegations.

  • Ensure Exchange PowerShell usage is only permitted for Exchange Administrators.


Mitigating SUNBURST Techniques with ContraForce XDR

CISA has assessed the threat actors engaged and their techniques utilized in this attack to determine ATT&CK techniques perpetuated.


MITRE ATT&CK® Techniques

  • Query Registry [T1012]

  • Obfuscated Files or Information [T1027]

  • Obfuscated Files or Information: Steganography [T1027.003]

  • Process Discovery [T1057]

  • Indicator Removal on Host: File Deletion [T1070.004]

  • Application Layer Protocol: Web Protocols [T1071.001]

  • Application Layer Protocol: DNS [T1071.004]

  • File and Directory Discovery [T1083]