The rise of cloud services, such as Microsoft Azure and Google, has had a revolutionary impact on how businesses manage their networks and store data. In the past, companies were primarily concerned with physical break-ins or the hacking of WiFi networks when it came to protecting their business accounts. However, with the shift to the cloud and the implementation of hybrid synchronization between on-premises Active Directory (AD) and the cloud environment, weak password policies in on-premises AD, for example, can lead to weak passwords in the cloud. This poses an increased risk of security breaches. Unfortunately, many organizations do not always fully grasp the impact of this situation. In this blog post, we will discuss multiple dangers and provide key measures to effectively protect yourself and your business from such risks. We also aim to raise awareness as you read through this information."
We often see that on-premises AD servers have weak password policies, which allow the use of simple passwords such as 'Welcome01' or the company name itself. These weak passwords are then synchronized with the cloud, for example with Azure AD, creating security risks. Even seemingly harmless accounts can, in reality, cause significant damage.
Both within on-premises and Azure AD, standard user accounts have read rights to all objects. This means that someone with access to a user account in your tenant automatically has access to all your user data, groups, applications, and so on. This breach often occurs completely automatically and is not always detected by an Endpoint Detection and Response (EDR) system. Hackers then use this collected data to gain access to other user accounts, for example through phishing attacks.
To protect yourself and your organization from such attacks, we recommend the following measures:
1) Use Azure Conditional Access Policies: With Azure conditional access policies, you can restrict account access to specific IP addresses, such as your trusted office network. This prevents attackers from logging in from external locations. For employees working remotely, it is advisable to implement a VPN configuration that uses an IP address of the office, or even a separate IP address.
2) Limit Access to Graph API / PowerShell: Within Azure, you can deny standard users access to Graph API and PowerShell by default. By assigning a role to the application within Azure, users must have the appropriate role to authenticate with these tools. This can prevent script-kiddies from randomly using tools from the internet against your organization.
Example security:
MFA (Multi-Factor Authentication) certainly provides protection against many attacks by requiring an attacker to have a second factor to actually log in. However, there are phishing attacks that can reuse PRTs (Primary Refresh Tokens), similar to what happens with SSO (Single Sign-On). These tokens, which serve as an authentication means for users on a device, can contain an MFA claim. Stealing such a token can enable an attacker to log into an account without needing to use MFA at all, as it bypasses the usual username + password flow.
Microsoft also offers various methods for authentication, including the well-known 'device code flow', which, unfortunately, is often exploited in phishing attacks. Let's take a closer look at this flow and understand how it works.
The 'device code flow' is an authentication method specifically designed to assist users in logging in on devices where direct keyboard and screen input might not be available, such as smart TVs, game consoles, and other IoT devices. It utilizes a two-step verification process to authenticate the user's identity.
All that is needed to log in with an already logged-in account is a 10-digit code, which can be provided by a malicious actor setting up a phishing email.
By implementing the aforementioned solution, you can protect end-users against such attempts.
In addition to the aforementioned measures, it is crucial to discuss the use of antivirus software. Many organizations rely heavily on this software, assuming it will block all potential threats. Unfortunately, this is one of the most common misconceptions in security. The belief that 'if the antivirus program didn't alert, it must be safe' is a pitfall many users fall into.
It's important to understand that antivirus software operates based on signatures and behaviour analysis to identify and block known malware. However, this means new, previously unidentified malware may not be detected. Hackers are aware of these limitations and use advanced techniques to bypass antivirus programs.
A concerning example of this situation is that on websites like antiscan.me, attackers can easily check beforehand if their malicious code is detected by antivirus programs. As of 2023, it's still possible for hackers to bypass nearly all antivirus packages with a few simple code modifications. This means that a seemingly harmless file or an apparently safe website may still contain dangerous malware.
Does this mean antivirus software is useless? Absolutely not. It remains a crucial component of the security strategy and can still block a significant number of known threats. However, it should not be considered the sole line of defense.
A layered security approach is essential to protect your organization. In addition to antivirus software, you should invest in regular software updates, firewalls, intrusion detection/prevention systems, and employee awareness training. Implementing more advanced security solutions, such as endpoint protection and behaviour analysis, can also aid in detecting unknown threats.
Furthermore, it is crucial to raise employee awareness of risks and train them to recognize suspicious emails, phishing attempts, and unsafe websites. By promoting a culture of security awareness and organizing regular training sessions, you can reduce the human element of security breaches.
In the rapidly evolving world of cybersecurity, cloud services have become an easy target for malicious actors. The migration to the cloud brings new challenges, with organizations often underestimating potential consequences, such as weak password policies and unintended security risks. While the use of antivirus software is important, it should not be considered the sole line of defense.
To effectively protect your organization against security breaches, it is essential to implement a layered security strategy. This includes using Azure conditional access policies to restrict account access, limiting access to critical tools like Graph API and PowerShell, and implementing VPNs for remote workers. Additionally, businesses should be aware of the limitations of MFA and take additional measures to protect themselves.
It's important to understand that antivirus software, although valuable, is not infallible. It may not detect new and unknown threats. Therefore, organizations should invest in multiple layers of security, including regular software updates, firewalls, intrusion detection/prevention systems, and employee awareness training. Promoting a culture of security awareness and training employees to recognize suspicious emails, phishing attempts, and unsafe websites is crucial.
Through a combination of technical measures, education, and awareness, organizations can better protect themselves against the dangers of cloud services and malicious attacks. It is an ongoing effort to tighten security and stay informed about new threats. By acting proactively and building a robust security infrastructure, you can ensure the safety of your data and your business in an ever-changing digital landscape.
Curious to know if you can defense against cybercriminals? Schedule a security assessment with WhiteHats!"
