Threat Actors Exploit Cloud Application Identities To Gain Persistence
It appears that threat actors targeting cloud environments are on the rise, as indicated by recent findings discussed in a Microsoft Threat Intelligence blog post.
It appears attackers either create new Azure application registrations or modify existing ones, attaching powerful credentials to these applications. These application credentials then serve as a means of ensuring persistence, empowering attackers to execute actions like deploying virtual machines for cryptocurrency mining operations, launching applications for attacker-in-the-middle identity attacks, or facilitating spam activities utilizing the organization's resources and domain name.
This application identity approach ensures continued access, even if the original compromised account is no longer accessible – persistence being a key objective for threat actors.
The applications in Azure typically rely on OAuth, an open standard for authorization flows widely employed in modern Identity as a Service (IDaaS) solutions like Microsoft Entra ID (formerly Azure Active Directory).
It's important to note that identities extend beyond physical persons to include "robots" or application identities. With the increasing automation of processes within organizations, tasks involving privileged access often invoke various internal and external APIs, accessing sensitive data, and orchestrating activities such as user onboarding and data integration between systems like ERP and CRM.
This underscores the critical importance of monitoring not only user identities (traditionally Active Directory users and groups in the on-premises world) but also application-based identities (akin to Kerberos service principals).
Interestingly, the impacted organizations in these attacks only detected suspicious activities indirectly; they noticed unexpected compute fees ranging from $10,000 to $1.5 million, prompting them to investigate. The computationally intensive nature of crypto mining apparently made the malicious activity more visible.
In any case, as organizations increasingly shift to cloud Infrastructure as a Service (IaaS) and Software as a Service (SaaS) applications, it is foreseeable that threat actors will intensify their focus on cloud compromise, moving away from traditional operating systems and servers. This emphasizes the necessity of monitoring activities within cloud IaaS, Platform as a Service (PaaS), and particularly IDaaS resources, such as Entra ID in this instance.
Anticipating such threats, we have previously covered the topic of monitoring application identities in Azure Entra ID, as detailed here.