Attackers are focusing on Microsoft identities to realize entry to Microsoft purposes and SaaS purposes. Nobelium, the group behind the SolarWinds assaults, has been utilizing native performance like Federated Trusts to keep up persistent entry to Microsoft tenants. This article explores one other native performance that enables attackers to realize entry to related tenants or deploy a rogue configuration for persistence. While this system has not been noticed within the wild, Vectra AI supplies particulars for defenders to know the assault and easy methods to monitor for it. Vectra AI’s prospects have already got protection and detection capabilities for this system.
Cross-Tenant Synchronization (CTS) is a function that enables organizations to synchronize customers and teams from different tenants and grant them entry to assets within the goal tenant. It’s a helpful function however may also be exploited for reconnaissance, lateral motion, and persistence assaults if not configured appropriately. This article explains the potential dangers and assault paths that adversaries can leverage to use CTS.
The assault methods described on this article require sure licenses and a privileged account compromise or privilege escalation within the compromised tenant. An attacker can use CTS to maneuver laterally from one tenant to a different related tenant or deploy a rogue CTS configuration as a backdoor for persistent entry.
To defend in opposition to these assaults, goal tenants ought to keep away from implementing a default inbound CTS configuration and deploy a much less inclusive configuration that explicitly defines accounts or teams allowed to entry via CTS. Source tenants ought to regulate and monitor teams allowed to entry different tenants by way of CTS. Vectra AI’s AI-driven detections can detect and reply to those privilege abuse situations.
In abstract, attackers are focusing on Microsoft identities to realize entry to related Microsoft purposes and SaaS purposes. They are utilizing native performance like Federated Trusts and misconfigured CTS configurations for persistence and lateral motion. Organizations can defend in opposition to these assaults by implementing correct configurations and monitoring, and Vectra AI supplies detection capabilities for these methods.
Source hyperlink