Lateral Movement Exploitation in New Microsoft Azure AD CTS Feature

Written by Jacob Dancey

Introduction

Microsoft announced Cross-Tenant Synchronisation (CTS) in June, which allows administrators to effortlessly synchronise users and groups across various tenants and their related resources. This innovation improves collaboration by automating lifecycle management for business-to-business projects, among other things.

The CTS configuration entails connecting an Azure 'source' tenant to a 'target' tenant, with users from the source automatically synchronised to the target. Data is exclusively pushed from the source to the target during this unilateral synchronisation.

However, if not properly configured, bad actors who have already infiltrated a tenant and gained elevated rights could take advantage of this new feature. They could exploit it to travel laterally to other interconnected tenants and build persistent unauthorised CTS settings, potentially leading to additional compromise.

Invictus previously highlighted this potential attack vector in a paper that largely focuses on detecting and fighting threats that leverage this functionality.

Vulnerabilities in CTS Configuration

Vectra, a cybersecurity firm, elaborates in their article on how threat actors could exploit this functionality to transmit laterally to related tenants or build persistence within the system.

Nonetheless, Vectra emphasises that exploiting this capability requires the initial penetration of a privileged account or the acquisition of privilege escalation within a hacked Microsoft cloud infrastructure.

"While we have not yet observed this technique being used in real-world incidents, given the historical misuse of similar functionalities, we provide comprehensive insights to help defenders understand potential attack scenarios and implement monitoring mechanisms,".

Vectra's report describes two main techniques:

1. Target Tenant Identification: The first strategy entails scrutinising CTS setups to identify target tenants who are linked via these rules. The attacker specifically wants renters who have 'Outbound Sync' activated, a function that allows tenants to synchronise with other tenants. Once a suitable tenant has been located, the attacker updates the configuration of the app in charge of CTS synchronisation. This operation inserts the compromised user within the sync scope, providing unauthorised access to the other tenant's network. Importantly, this technique allows for lateral travel without the need for new user credentials.
2. Persistent Access Establishment: The second option involves creating a rogue CTS configuration to maintain persistent access to target tenants. Once again, this method assumes that the threat actor has previously compromised a privileged account within the tenancy. The attacker uses this method to deploy a new CTS policy and enable 'Inbound Sync' and 'Automatic User Consent.' These settings allow the attacker to add new users to the target tenant from their external tenant at any time. This configuration ensures that the external account has ongoing access to the target tenant. Even if the rogue accounts are removed, the attacker could generate and "push" new users, allowing quick access to the target tenant's resources—effectively creating a secret "backdoor."

Defending Against These Attacks

While no reported attacks utilising this functionality have been discovered, Vectra advises techniques to strengthen your configuration and reduce the possibility of exploitation. Businesses must maintain their commitment to implementing and enforcing security best practises in order to reduce the risk of account compromise. The following guidelines are critical for CTS target and source tenants to strengthen their security posture:

CTS Target Tenants

1. Prudent Configuration Choices: It is imperative for CTS target tenants to steer clear of adopting a default inbound CTA configuration that indiscriminately permits synchronization of all users, groups, and applications from the source tenant. This step is crucial in preventing unauthorized access and potential compromise.
2. Refined Inbound CTA Configuration: opt for a more selective and refined inbound CTA configuration. Explicitly define the accounts or groups that are authorized to access the target tenant via CTS. By doing so, unnecessary access is curtailed, reducing the attack surface and potential risks.
3. Augment with Conditional Access Policies: Enhance security measures by combining the CTA policy with additional Conditional Access Policies. These supplementary policies can play a pivotal role in preventing any unauthorized access attempts, fortifying the overall defense against potential breaches.

CTS Source Tenants

1. Prudent Group Regulation and Monitoring: Ensure meticulous regulation and continuous monitoring of groups that possess the privilege to access other tenants through CTS, as well as any other privileged groups. This oversight is critical to maintaining control and detecting any unauthorized or anomalous activities promptly.
2. Swift Detection and Scalable Response: Establish mechanisms for the swift and comprehensive detection of potential threats or breaches. Implement measures that allow for a rapid response at scale, ensuring that any suspicious activities are promptly investigated and addressed to curtail potential threats.

By adhering to these comprehensive recommendations, businesses can significantly enhance their security posture and minimize the vulnerabilities associated with the Cross-Tenant Synchronization (CTS) feature. This proactive approach to security underscores the commitment to safeguarding critical resources and data from compromise and unauthorized access.

CSA will continue to monitor the situation and will work with all affected clients to create rules to further protect all assets that could be affected by a CTS attack.

References

https://www.bleepingcomputer.com/news/security/new-microsoft-azure-ad-cts-feature-can-be-abused-for-lateral-movement/

https://www.vectra.ai/blogpost/microsoft-cross-tenant-synchronization