The NJCCIC was recently notified of a cyber incident in which a threat actor compromised a user’s account credentials by targeting the Password Hash Synchronization (PHS) login method. Azure utilizes PHS to validate credentials and authenticate users without needing an additional Identity Provider (IdP). When PHS is enabled, Azure AD Connect uses the AD replication protocol to retrieve the password NT hash for every synced user. The hash is then rehashed and synced to Azure AD. Even if another authentication mechanism is used, PHS is enabled by default and will be used as a backup method during server outages. In a PHS attack, the threat actor exploits PHS and Azure AD Connect server functionality, often by intercepting connector credentials via man-in-the-middle attacks or injecting malicious code directly into the PHS process, allowing them to extract the domain users’ NT hashes. |
In the recent incident, after compromising the account, the threat actor created a new computer name and established an alternate phone number as the account’s method for multi-factor authentication (MFA). Within a few hours of gaining access to the compromised account, the threat actors sent nearly 800 phishing emails to both internal and external accounts. These emails likely aimed to compromise additional user accounts for subsequent cyber threat activity; threat actors often compromise user accounts prior to launching ransomware attacks. |
Recommendations |
Ensure user accounts require MFA, favoring authentication apps and hardware tokens over SMS-based codes. As advised by Microsoft, treat Azure AD Connect as a Tier 0 server. Implement network segmentation to reduce the impact of a network compromise. Monitor for man-in-the-middle attacks and atypical network and account behavior. Follow the principle of least privilege to reduce the number of accounts with unnecessary access. Revoke session tokens when an account is compromised and reduce the duration of valid session tokens. Review additional technical analysis in the Sygnia blog post. |