Credit: REDPIXEL.PL/Shutterstock
Recent destructive attacks against organisations that masquerade as a ransomware operation called DarkBit are likely performed by an advanced persistent threat (APT) group that's affiliated with the Iranian government. During some of these operations the attackers didn't limit themselves to on-premises systems but jumped into victims' Azure AD environments where they deleted assets including entire server farms and storage accounts.
Researchers from Microsoft track this cluster of malicious activity under the temporary identifier DEV-1084, but they found strong links between it and resources and techniques used in the past by an Iranian APT group known in the security industry as MERCURY or MuddyWater. Last year, the US Cyber Command officially attributed MuddyWater to a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
"Microsoft assesses that MERCURY gains access to the targets through remote exploitation of an unpatched internet-facing device," the Microsoft researchers said in a report. "MERCURY then handed off access to DEV-1084. It is not currently clear if DEV-1084 operates independently of MERCURY and works with other Iranian actors or if DEV-1084 is an ‘effects based’ sub-team of MERCURY that only surfaces when MERCURY operators are instructed to carry out a destructive attack."
Extensive lateral movement through compromised networks
The attackers start by identifying internet-facing server and web applications that have unpatched remote code execution vulnerabilities, such as Log4Shell. After successful exploitation, they plant web shells on the servers that allow them to execute system commands remotely.
This is followed by the creation of local user accounts and elevating their privileges to administrator, the deployment of a PowerShell backdoor for persistence and Active Directory credentials theft and the deployment of remote access tools such as RPort, Ligolo, and eHorus. Once this foothold has been established, the attackers begin extensive network discovery and lateral movement, using the credentials they manage to progressively escalate their privileges and compromise more systems.
The goal is to eventually gain administrative access on domain controllers and use Group Policy Objects (GPO) to disable security tools and deploy a ransomware payload to as many systems as possible along with a scheduled task to execute it. This ransomware program leaves encrypted files with the extension DARKBIT and drops a ransom note.
Jumping into the cloud infrastructure
However, if the victim organisations run hybrid Windows domain environments that combine local AD with Azure AD, the attackers will try to move into the cloud infrastructure. In the incidents seen by Microsoft, the attackers abused the high-privileged accounts created by the Azure AD Connect agent. This is an on-premises application that allows organisations to keep their local and Azure AD environments in sync, with features such as password hash synchronisation for shared identities, pass-through authentication, objects synchronisation and more.
When this agent is installed, it creates several accounts in the local Windows Server Active Directory and cloud Azure AD environments with automatically generated long and complex passwords. One of these accounts is called the AD DS Connector Account and typically has powerful permissions including the ability to replicate directory changes, modify passwords, modify users and modify groups.
Another account is called the Azure AD Connector Account and is used by the synchronisation service to manage Azure AD objects. In an older solution called DirSync this account had the Global Administrator role on Azure AD, while in recent versions it has the Directory Synchronization Accounts role.
The attackers were seen compromising the system hosting the Azure AD Connect agent and then setting up a SSH tunnel on it that called back to an attacker-controlled device. The attackers then deployed the AADInternals tools, which have a feature called Get-AADIntSyncCredentials that allows local administrators to extract the plaintext credentials for both the Azure AD Connector account and the AD DS Connector account.
"Shortly before the ransomware deployment, we observed authentication from a known attacker IP address into the Azure AD Connector cloud account," the Microsoft researchers said. "Investigating this sign-in showed that the threat actors were able to access the account on the first attempt without any guessing or modification of the password, indicating that the actors possessed the password for this account. The Azure AD Connector account is configured with single-factor authentication, making it easier for the attacker to gain entry and elevate privileges."
The attackers also abused another compromised administrator account that did have multifactor authentication (MFA) enabled. However, they chose to access the account via Remote Desktop Protocol (RDP), which can be used to evade MFA. They used the Azure Privileged Identity Management (PIM) to claim the Global Administrator privileges for the account in Azure and then elevated its access to get permissions to the organization's Azure management groups and Azure subscriptions.
"The Azure AD Connector account and the compromised administrator account were then used to perform significant destruction of the Azure environment—deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks," the Microsoft researchers said. "We assess that the attacker’s goal was to cause data loss and a denial of service (DoS) of the target’s services."
Separately, the attackers used their access to give the legitimate Exchange Web Services app the full_access_as_app permission in the account, which gave it full access to all mailboxes. They then issued new certificates that allowed them to issue access tokens and authenticate to cloud resources as the Exchange application. This access to the API was then used to access many mailboxes and perform thousands of search activities in them, likely with the goal of identifying and copying sensitive data.
The attackers also gave the Azure AD Connector account the SMTP Send on behalf permission to allow it to send email as one of the organization's high-ranking employees. They then proceeded to send both internal and external emails impersonating the employee.
Microsoft advises organisations to follow the Azure Identity Management and access control security best practices and to enable Conditional Access and continuous access evaluation (CAE) policies. Conditional access allows organisations to enforce device compliance and trusted IP requirements for account access in addition to MFA, while CAE evaluates in real time changes to user conditions that could trigger security risks.
