According to recent industry research, multiple campaigns and tools being executed by the MERCURY APT group (aka MuddyWater, Static Kitten) – widely considered to be affiliated with Iranian Ministry of Intelligence and Security (MOIS) interests – have been observed launching damaging attacks in Microsoft Azure cloud environments.
Research conducted by Microsoft shows how nation-state attackers have gained access to vulnerable, insecure on-site resources as well as cloud environments, enabling them to inflict extensive damage to the target’s infrastructure. Targeted organizations running hybrid Windows domain environments that combine local Active Directory (AD) and Azure Active Directory (AAD) have had their Azure Active Directory Connect agent manipulated, thereby gaining entry into their online Azure infrastructure, and subsequently destroying the victim’s Azure environment.
This ranged from wiping out their Azure virtual machine instances, server farms and workloads, virtual networks, storage accounts, and more.
Throughout their operations, the threat actors have actively targeted both on-premise and cloud environments. From what is currently known of this campaign, their primary objectives have been disruption and destruction.
Interestingly, this disruptive and destructive behavior is in line with commonly seen Iranian nation state attackers’ Tactics, Techniques, and Procedures (TTP), with specific reference to the damaging 2012 Saudi Aramco attacks at the hands of Iranian hackers, as well as their continued use of DDoS attacks and Wiper malware strains to overwrite systems or otherwise leave them unusable or unrecoverable (unless organizations have working backups).
Doubly interesting is the APT group’s strong pivot towards the Microsoft cloud ecosystem, with their past attacks focusing mostly on vulnerable, on-premises Exchange services and Fortinet security appliances, or more recently with online services such as Dropbox and OneHub.
Why do these incidents occur?
It should come as no surprise that today’s sophisticated hackers are increasingly focusing on cloud environments to further their agendas. Irrespective of geopolitics playing a part in this nation-state actor’s story, we continue to see exploitation of remote access tools as a prime initial access vector into target environments.
As most organizations continue their evolution into the cloud, hybrid infrastructures provide flexibility for requirements that cannot be fulfilled in cloud-only ecosystems, or may not yet be ready to be cloudified. Maintaining on-premise and cloud-native resources (presumably in a synchronized, hybrid fashion) enables these enterprises to enjoy the best of both worlds until more efficient methods can mature for them.
With this philosophy becoming more commonplace, threat actors relish the thought of flexing their muscles on the more traditional and established access vectors (say, remote desktop connection), to then ultimately be rewarded with a pivot-point into the target’s cloud infrastructure. Subsequently, that whole new cloud domain represents vast opportunity for theft, financial gain through ransom, disruption, or even just outright destruction as we see here.
What can be done?
Threats like these feast on vulnerable or exposed services that offer a beachhead into a target’s environment. From that point, it just becomes a matter of where and how malicious actors exploit excess privileges and permissions to carry out their attacks. Reducing your overall attack surface, at the very least, will go a long way towards thwarting the “low hanging fruit” temptations laid in front of threat actors. This means disabling or, at minimum, segmenting remote access services, private applications, or protocols that are no longer needed or shouldn’t be publicly accessible behind dated perimeter tools. Capabilities like Zero Trust Network Access (ZTNA) allow organizations to create software-defined perimeters and divide the corporate network into multiple micro-segments, preventing lateral movement of threats and reducing the attack surface in case of a breach.
Continuous access assessments and validations are also very effective mitigation techniques, since attempts of abuse can be identified and prevented on an individual case-by-case basis for each access request. On assessment of user identity, device identity, posture, and other contextual factors, ZTNA allows “least privilege” access to specific applications, and not the entire underlying network to any user with a successful login.
Since we’re also seeing configurations within Microsoft Azure environments being tampered with to pave the way for destruction, as well as abuses of privileged Microsoft Azure admin accounts, capabilities like Posture Management can help to detect and prevent activities and changes deemed anomalous or against corporate standards.
Skyhigh Security helps with this by extending Activity Monitoring and Security Configuration Audit features to Microsoft Azure infrastructures. To detect internal and external threats to Azure infrastructure, Skyhigh Security captures a complete record of all user activity in Microsoft Azure across multiple heuristics, detects threats, automatically takes risk-mitigating action, and supports forensic investigations. As threats are resolved, Skyhigh automatically incorporates this data into its behavioral models to improve detection accuracy.
Skyhigh dynamically and continuously updates thresholds for each user and group to identify activities indicative of insider threats. In-built Privileged User Analytics identify risk from inactive administrator accounts, excessive permissions, and unwarranted escalation of permissions and user provisioning.