A new lateral movement technique called Cross-Tenant Sync (CTS) has been identified as a potential security risk for Azure AD Premium P1 or P2 license holders. CTS allows attackers to abuse privileged credentials within a tenant to gain unauthorized access to other tenants.
To successfully carry out an attack using CTS, the attacker must first have access to an account with security administrator, hybrid identity administrator, or cloud admin/application admin roles. These roles provide the necessary privileges to configure cross-tenant access policies and modify cross-tenant synchronization configurations.
In a proof-of-concept attack conducted by Vectra AI, it was assumed that the target tenant already had cross-tenant access policies configured. The attacker utilized an admin command shell to list all the tenants with which the current tenant had access policies. By reviewing these policies, the attacker could identify a tenant that had an outbound policy, indicating that the current tenant synced users into that target tenant.
The next step for the attacker was to locate the ID of the application responsible for the synchronization within the compromised tenant, so its configuration could be modified. Vectra researchers developed a PowerShell script to automate this process. However, finding the sync application linked to the target tenant was not a straightforward task. The attacker had to iterate through service principals in the tenant to validate credentials with the target tenant and ultimately find the application hosting the sync job.
Once the sync application was identified, the attacker had two options. They could either add the compromised account they already had credentials for to the sync scope or review the application’s sync scope to determine if a specific group’s users were being synchronized into the target tenant. If the latter was the case, the attacker could attempt to add their compromised user to that group, either directly or indirectly.
Aside from facilitating lateral movement, CTS can also be exploited as a backdoor to maintain persistence within a compromised tenant. The attacker could create an inbound cross-tenant access policy in the victim tenant, allowing an external tenant under their control to sync users into it. By enabling the “automatic user consent” option, synced users would not be prompted for consent, effectively providing the attacker with a means of maintaining control over the compromised tenant.
In conclusion, CTS is a lateral movement technique that leverages privileged credentials to gain unauthorized access to other tenants. It highlights the importance of implementing strong access control measures and regularly reviewing and updating access policies to mitigate the risk of such attacks. Additionally, organizations should ensure that they have robust monitoring and detection systems in place to identify and respond to suspicious activities associated with CTS.