New Research Details Bounce The Ticket And Silver Iodide Attacks In Azure AD

Silverfort research has found adversaries could attack the new Microsoft Azure AD Kerberos authentication protocol to move laterally around hybrid environments.

Made generally available in August 2022 to enable cloud authentication for IaaS workloads such as servers and file shares, the new protocol is exposed to the two new techniques which evolve long-standing Silver Ticket and Pass the Ticket attacks – both of which are already well-used by threat actors to move laterally. 

The new version of Pass-The Ticket, called Bounce the Ticket, allows an attacker to steal Kerberos tickets from memory and use these to manipulate the Azure Ticket Granting System into granting malicious access to cloud workloads such as servers. This could be used to pivot around hybrid environments.   

In the enhanced Silver Ticket attack, called Silver Iodide, the Silverfort research team was able to attack Azure Files and forge Kerberos tickets to demonstrate how a threat actor could escalate privileges on the cloud-based File Share. 

Like many attacks on identity systems, the issues described lie in the underlying logic of the protocol. Fixing them would require re-engineering Kerberos – it is not simply a case of patching code. Both techniques were shared with Microsoft’s MSRC team prior to publication. 

You can read the research here.

Leave a Reply

%d bloggers like this: