Scroll Top

Exploiting Microsoft Cross-Tenant synchronization for persistent access


In a disturbing turn of events, cyber attackers are leveraging Microsoft Cross-Tenant Synchronization (CTS) functionality to gain persistent access to Microsoft cloud tenants and execute lateral movement attacks. While this technique does not exploit vulnerabilities, it capitalizes on the misuse of native Microsoft features to achieve malicious objectives. The attacker group known as Nobelium, previously linked to the SolarWinds attacks, has been identified as exploiting CTS functionalities to establish persistent access within compromised Microsoft tenants.

This new threat vector involves exploiting misconfigured CTS configurations to infiltrate connected tenants and establish unauthorized trust relationships, thereby gaining unauthorized access. Though not yet observed in the wild, this technique’s potential impact is significant, as it aligns with historical attacker tactics involving native functionalities.

Cross-Tenant Synchronization (CTS): A powerful, yet risky, feature
CTS is a novel Microsoft feature designed to enable seamless synchronization of users and groups from source tenants to target tenants. This mechanism facilitates automated collaboration between disparate tenants, making it particularly appealing for large organizations with multiple interconnected tenants.

However, this convenience comes at a cost – a poorly configured CTS setup can expose organizations to potential attacks, including reconnaissance, lateral movement, and persistence by malicious actors. It is essential to strike a balance between convenience and security when configuring CTS.

Lateral movement and backdoor attack scenarios
The attack scenarios associated with CTS abuse revolve around exploiting compromised identities within a Microsoft cloud environment. These scenarios assume that an identity within the environment has already been compromised.

  1. Lateral Movement: Attackers can leverage a compromised environment’s CTS configuration to move laterally from a compromised tenant to another connected tenant. This technique involves exploiting outbound sync capabilities and the automatic consent redemption setup of CTS.
  2. Backdoor Attack: In this scenario, attackers create a rogue Cross Tenant Access (CTA) policy that enables them to maintain persistent access within the compromised tenant. By establishing a malicious CTA policy, attackers can push unauthorized users to a victim tenant, granting them future access to resources.

Defending against CTS exploitation
While this technique doesn’t target vulnerabilities, its impact can be devastating. Organizations must adopt robust security practices to mitigate the risks associated with CTS abuse. Recommendations include:

  • Configure CTS Policies: Implement carefully defined inbound CTA policies that restrict unauthorized access through CTS.
  • Conditional Access Policies: Combine CTA policies with conditional access policies to prevent unauthorized access.
  • Regulate Privileged Groups: Properly regulate and monitor groups allowed access through CTS, particularly those with privileged permissions.
  • Behavior Monitoring: Leverage AI-driven threat detection solutions to monitor for unusual behavior indicative of CTS exploitation.
  • Continuous Testing: Regularly test your environment’s security using tools like the MAAD-Attack Framework, which simulates various attack techniques.

Vectra AI’s detection capabilities
Vectra AI’s advanced detection capabilities can provide crucial defense against CTS exploitation and other emerging threats. The platform’s AI-driven alerts are designed to detect privilege abuse scenarios, even without prior knowledge of specific attack techniques. Vectra’s Azure AD Privilege Operation Anomaly, combined with other detections, can identify behaviors indicative of compromised identities and unauthorized access.

Organizations can rest assured that Vectra AI’s comprehensive suite of threat detection tools offers protection against evolving threat techniques, enhancing security posture in today’s dynamic cyber landscape. Stay ahead of the curve by adopting robust security measures and leveraging cutting-edge threat detection solutions.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.