Microsoft Reports New Attack Using Azure AD Connect>
Practical 365 – Paul Robichaux
Important to Check Azure AD Tenants to Remove Possibility of Compromise by MERCURY Attack First, a brief refresher is in order. When you install Azure AD Connect, it creates two privileged accounts: one for connecting to the cloud (the âAzure AD connector accountâ) and one for connecting to the on-prem AD (the âAD DS connector accountâ). Both accounts are created with a long, complex password, which the administrator doesnât have direct access to. However, an account that has local admin privileges on the machine running Azure AD Connect will have access to the in-memory credentials for both of these accounts.

Microsoft says that the threat actors used the AADInternals tool to steal the credentials for the Azure AD Connector account. They verified these credentials by logging directly into the Azure AD connector account in the cloud. Microsoft says that they âobserved authentication from a known attacker IP addressâ on this account, meaning that the attacker was able to verify that the credentials worked without leaving any of the telltale footprints of a password-spray attack.

Thatâs not the bad part, though. As you may remember, the DirSync tool, the predecessor of Azure AD Connect, required that its service account have Global Administrator rights. If you installed DirSync and then updated to Azure AD Connect, that service account will still have the same rights. In this case, the attacker compromised an account that gave them an unlimited run of Azure AD.
Link: https://practical365.com/mercury-attack-april-2023/