Security breach by known bad actor group
Another scary post on Halloween. Scary that is, if you're not following security best practices.
This bad actor group exposes a timing issue with O365 safe links. They create a certificate for a site, that looks ligament, and then exploit it as quickly as they can. For example: Securemail.contoso.com. Since the cert is valid and it takes hours before any bad actor information is gathered about the link, safe links allows it to be a true, valid, trusted site.
This is the group and what they are doing: https://krebsonsecurity.com/tag/pcm/ Ultimately, they are just after money.
It is a known issue, that 3-4% of all users, click on every link they see. Thus, even a safe link, may not be completely safe. Once the group has access to a machine, they perform SAMr Queries. From there, they continue to lateral to other servers. Their goal is to find an elevated permissions account. Finding a member server running terminal services is one key. Usually many accounts log onto TS machines, including Domain Administrators (DA). Once on a member server, they can do a password spray, and then eventually gain access as a DA. They also want to stay under the radar, to have as little presence as possible and by using a DA account on a TS, helps avoid detection.
Once having access to a DA account on premises, they can see if that same account, or another DA account, has Global Administrator (GA) access to an O365 tenant. Once gaining GA access, then the bad actors can setup rules, change roles, run e-Discovery searchers, and many other tenant tasks. The sad part is, most customers don’t monitor these changes, thus, you should. When was the last time you looked to see if a new e-Discovery task was run?
One of the interesting options of being a GA, is to setup a transform rule, that does not require MFA. Including, setting a rogue, non-customer IP address. Consequently, requiring that all users authenticate, not using MFA, to an IP server of the bad actors choosing. At this point, additional accounts across the organization can be compromised. When was the last time you reviewed your transport rules?
Moral of the story, use as many security layers as you can, including:
- Secure privileged access
- Not allowing DA accounts to log onto non-DC machines
- Privileged Identity Management (PIM)
- Privileged Access Management (PAM), Just In Time Administration (JIT/JITA)
- Monitor e-Discovery scans
- Use Local Administrator Password Solution (LAPS)
- Just Enough Administration (JEA) process
- End user training on phishing and spamming exploits