Microsoft has detailed how one sophisticated hacking group is able to get from a cracked cloud password to full control over a network in less than a week.
“Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets,” Microsoft’s Threat Protection Intelligence Team said, as they detailed a particularly sophisticated type of attack they have been monitoring and defending customers against.
In particular, the Microsoft team identified the group it calls Holmium as among the most effective in using cloud-based attack vectors of all those — including organised crime and nation-state backed hackers — that it tracks.
Also known as ATP33, StoneDrill and Elfin, this group is widely linked to Iran, and has been performing espionage and destructive attacks targeting aerospace, defence, chemical, mining, and petrochemical companies for a number of years now.
Microsoft’s researchers said Holmium uses various ways to gain access to its targets, including spear-phishing emails and attempts to use lists of well-known passwords to break into accounts — a technique known as ‘password spraying’.
But many of Holmium’s recent attacks have involved a penetration testing tool called Ruler used alongside compromised Exchange credentials. The researchers said the hacking group has been running cloud-based attacks with Ruler since 2018, with another wave of such attacks in the first half of 2019.
These attacks typically started with ‘intensive’ password spraying against exposed Active Directory Federation Services infrastructure; organizations that were not using multi-factor authentication had a higher risk of having accounts compromised, Microsoft noted.
Armed with some Office 365 accounts, the group then launched the next step with Ruler, which gives them control over the PC –which can then be used by the hackers to explore further.
“Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network”, Microsoft said.
This involved finding more user accounts and PCs to attack on the network.
These attacks typically took less than a week from initial access via the cloud to obtaining “unhampered access and full domain compromise”, Microsoft said. This access then allowed the attackers to stay on the network for long periods of time, sometimes for months on end.
During these attacks, many target organizations reacted too late — for example when the malicious activities started manifesting on endpoints via PowerShell commands and subsequent lateral movement behaviour, the researchers warned.
“The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation,” the researchers said, noting that Microsoft’s Threat Protection suite was able to defend against such attacks.
“Corporate data is spread across multiple applications — on-premises and in the cloud — and accessed by users from anywhere using any device. With traditional surfaces expanding and network perimeters disappearing, novel attack scenarios and techniques are introduced,” Microsoft warned.