Hackers could use OneDrive permissions to read company documents
With more companies relying on off-prem assets for data management, the price of cloud environment misconfiguration can become too much to bear.
With 92% of companies storing at least some of their IT environment in the cloud, securing off-prem digital assets has become crucial.
Malign actors notice the pandemic-spurred ascension to the cloud as research shows that as much as 79% of companies have experienced cloud data breaches in the last 18 months, with 43% suffering from ten cloud-based intrusion attempts.
Even major cloud providers with lavish safety budgets are not immune to exploits.
For example, Microsoft recently announced that over 140 resellers and service providers had been targeted by the Russian nation-state actor Nobelium through the Azure cloud services.
That came somewhat as a shock to the cyber security community since the same hacker group was responsible for the infamous Solarwinds hack. It appears the cloud has become an attractive attack vector to the threat actors.
According to Zur Ulianitsky, head of security research at XM Cyber, hackers can abuse Microsoft Azure configuration to their advantage even if the original purpose of the functionality is not flawed.
"It's not the vulnerability in Microsoft services. It's actually a feature that Microsoft provides you with. They give you the option to get access to all of your OneDrive, for example, and there are many good reasons to have that functionality," Ulianitsky told CyberNews.
Feature, not a bug
Ulianitsky explained that once new employees join an organization, they might be added to a 'group permission' within the Azure active directory tenancy.
On its own merit, that's nothing to be concerned with and benefits the organization since group permission can be role-specific.
However, Ulianitsky noted that if threat actors took over an account that has the permission to change a specific group's owners or add group members, they could exploit the group permission feature to on-prem domain compromise.
"If we are talking about a small company, where people don't really know Azure, and everyone is doing everything, all of the employees might get administrative permissions."-Zur Ulianitsky
"This has a huge impact because all of the sensitive resources are being managed in that subscription. You have all the databases, the virtual machines, and Kubernetes clusters," Ulianitsky said.
According to Ulianitsky, several permissions could allow a malign actor to gain access to all OneDrive directories that belong to an organization.
Overly generous access permission could even lead to an attacker taking hold of victims' Office365 services. That could be a devastating blow to any business, as documentation can reveal sensitive data.
Multi-factor authentication (MFA) and asking users to verify their access through a unique code to their mobile device or email could provide a simple solution to prevent such attacks.
According to Ulianitsky, small companies are particularly vulnerable as they may often opt to give administrative cloud permissions to all employees, not understanding the risks involved.
"For example, Microsoft recommends that you configure only five global administrators. But if we are talking about a small company, where people don't really know Azure, and everyone is doing everything, all of the employees might get administrative permissions," Ulianitsky told CyberNews.
It takes malicious actors to compromise only a single account, and that, in theory, would allow it to create a new application with access to all of the companies' OneDrive directories.
The Latest 'Threat Horizon' report from Google shows that 86% of the latest attempts to hack Google Cloud Platform (GCP) were made to perform cryptocurrency mining.
According to Google, crypto mining software was downloaded within a whopping 22 seconds after an account was compromised.
The report claims that in most cases (75%), poor customer security practices or vulnerable third-party software allowed threat actors to access the cloud.
A weak or no password for user accounts was the most common reason (48%) hackers were able to exploit cloud services.
According to the report, a vulnerability in third-party software in the cloud was exploited in 26% of cases. Misconfiguration of the cloud accounted for 12% of exploits.
More from CyberNews
Subscribe to our newsletter