Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts

Microsoft's Azure AD Kerberos service, a cloud-based identity and access management (IAM) service based on Kerberos authentication, can be attacked using techniques similar to those used by attackers against on-premises Kerberos servers.

Kerberos is a widely used protocol used to authenticate users and devices via symmetric key cryptography and a key distribution center; it enables modern authentication mechanisms such as single sign-on (SSO). Because Kerberos authentication is a standard security measure for many enterprises, attackers have frequently tried to compromise or bypass the authentication servers using identity attacks that spoof legitimate users.

In the on-premises world, a pair of common identity attacks are the Pass the Ticket and Silver Ticket approaches, which allow an attacker to use stolen credentials or mint their own credentials, respectively, and authenticate with enterprise services. Both techniques continue to work to some degree against the cloud versions of Kerberos authentication servers, according to cybersecurity services firm Silverfort, which dubbed the cloud-based iterations of the attacks the Bounce the Ticket and Silver Iodide threats.

"Identity attacks that have existed for some time are still a risk as organizations move into the cloud," says Dor Segal, senior security researcher at the firm. "Azure AD Kerberos is a new implementation but not a new protocol. Security teams need to be aware of this fact and put appropriate mitigations in place."

Leave a Comment