A flaw was discovered in Microsoft Azure Directory Domain Services that affected organizations that used Office...
365, had an on-premises Active Directory and installed the Azure AD Connect service using the default -- Express -- installation.
When installing Azure AD Connect with the default settings, a service account called MSOL is created to sync on-premises AD with cloud AD. This user account requires a selection of administrator rights to perform this function, but it is placed into the Built-In Users group, which is subject to less control than full administrator accounts. This user account, unlike full administrator accounts, is not protected by AdminSDHolder.
This means users with sufficient rights to change passwords for domain users -- such as help desk employees -- can change the password to the MSOL account. As the MSOL account has the ability to replicate the domain, this grants it the ability to run many administrator-level commands, such as requesting a list of password hashes for all the Domain Admins. Once a user knows the password hash for a Domain Admin, specialist tools can be used to deploy it in the same manner as a password to gain full Domain Admin rights.
Mitigations for the Azure AD Connect vulnerability
The Azure AD Connect vulnerability has been fixed by a PowerShell script provided by Microsoft, which automatically applies the suggested permission changes for the MSOL account. This will need to be run manually. Going forward, all versions from 1.1.654.0 on will not be vulnerable.
The Azure AD Connect vulnerability should also be taken in context, as it can be exploited only by a malicious insider who wants to escalate privileges or an attacker already on the network using the vulnerable account as a gateway to gain higher privileges.
However, privilege escalation is a key part of compromising a domain, so this is a serious flaw in Azure, and the PowerShell script should be run immediately if your Azure deployment is affected. To determine if the Azure AD Connect vulnerability has already been exploited, look at your MSOL account and check the most recent password change date to ensure it is as expected.
What this means
This Azure AD Connect vulnerability highlights the need for the organization to have the tools and expertise to monitor account usage and the rights granted to AD users.
Once an attacker has compromised the external defenses of the organization and is on the internal network, their next goal is privilege escalation because it enables attackers to discover and exfiltrate sensitive data. Without an understanding of the organization's existing AD accounts and privileges, or the ability to monitor these accounts, it is highly unlikely that the organization would be able to detect or prevent an attacker from escalating their privileges.
In the context of cloud infrastructure, this vulnerability demonstrates that issues affecting on-premises networks can be replicated in the cloud.
It also highlights that just because an organization is using an infrastructure-as-a-service (IaaS) platform, such as Azure or AWS, it does not mean that the IT team can afford to completely delegate security to the provider. The organization still needs to take responsibility for its cybersecurity and view IaaS as an aid to this process rather than a universal solution.