Hackers could manipulate Azure agent, using skeleton key to attack cloud infrastructure

News by Rene Millman

Skeleton key could unlock Azure environment for cyber-criminals - not a vulnerability, but a new way to exploit an Azure synced environment so no patch expected.

Security researchers have discovered a way of manipulating an on-prem server called an Azure agent so that an attacker can establish a backdoor and gather user credentials.

According to a blog post by researchers at Varonis, this means that if an on-prem environment is compromised, the attacker can use it to pivot to the Azure environment.

Eric Saraga, a security researcher at Varonis, said that if an attacker compromises an organisation's Azure agent server, a component needed to sync Azure Active Directory (AD) with on-premises Active Directory, they can create a backdoor that allows them to login as any synchronised user.

“This attack method exploits the Azure agent used for Pass-Through Authentication. The on-prem agent collects and verifies credentials received by Azure AD for accounts that are synced with on-prem domains,” said Saraga.

To exploit the agent, a hackers needs Azure AD Connect configured for Pass-Through Authentication and administrative privileges on a server with an Azure Agent installed.

“After compromising a server running an Azure agent, we can tamper with the authentication flow. The process that’s responsible for verifying credentials is conveniently called “AzureADConnectAuthenticationAgentService.exe” and it relies on the API function “LogonUserW.” Microsoft’s documentation states, “the Authentication Agent attempts to validate the username and the password against on-premises Active Directory by using the Win32 LogonUser API with the dwLogonType parameter set to LOGON32_LOGON_NETWORK,” said Saraga.

Saraga added that it is important to keep in mind that this attack is that is not a vulnerability, but a new way to exploit an Azure synced environment.

“An attacker requires privileged access to exploit the Azure agent in this way, so the Microsoft Security Response Center’s response to our report leads us to believe a patch will not be created,” he said.

““This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering. For this issue, the attacker needs to compromise the machine first before they can take over the service,” added Saraga.

A potential solution would include forwarding the encrypted credentials from the agent to a centralised agent on the DC. That DC agent would verify the user and return an encrypted response that can only be opened by the Azure Cloud.

Eoin Keary, CEO and cofounder of edgescan, told SC Media UK that backend access to systems such as Azure or other cloud environments should have mandatory multifactor authentication.

“If a password is compromised or a "skeleton key" is generated, it would still require a second factor of authentication to prevent successful login with one factor (password alone). It is also good practice for a system to request the second factor of authentication before a user commits "sensitive" functions such as writing, creating objects or user accounts etc. The use of multifactor authentication prevents a wide array of vulnerabilities from being exploitable,” he said.

“The ability to Dump all clear text credentials is not specifically an issue related to this vulnerability. By nowadays nobody should be storing passwords in clear text. Salted hash/Bcrypt or something similar should be used to store passwords and authentication credentials.”

Dan Pitman, principal security architect at Alert Logic, told SC Media that just yesterday, Microsoft announced they were pausing auto-updating of the Azure Service Fabric, which this relates to – The Microsoft Azure Virtual Machine Agent (VM Agent) is a process that manages virtual machine (VM) interaction with the Azure Fabric Controller.

“They had also just released a new version, including notable changes to the Service Fabric Managed Identity service. One wonders if these things are related,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews