An unpatched security weakness in Azure Active Directory might be leveraged by attackers to conduct undetected brute-force attacks, according to security researchers.
SecureWorks says there’s a flaw in the protocol that is used as part of Azure Active Directory’s Seamless Single Sign-On feature. “This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” SecureWorks says.
A password spraying PoC was published 3 days ago on GitHub.
The Response from Microsoft
Microsoft said that this method does not constitute a security vulnerability and that measures are already in place to protect Azure users: “We’ve reviewed these claims and determined the technique described does not involve a security vulnerability and protections are in place to help ensure customers remain safe and secure,” a Microsoft spokesperson told ArsTechnica.
Furthermore, Microsoft says, tokens issued by the WS-Trust
usernamemixed endpoint do not provide access to data and need to be presented back to Azure AD to obtain the actual tokens. “All such requests for access tokens are then protected by Conditional Access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection and surfaced in sign-in logs,“.
But, Secureworks also shared additional insights that it received from Microsoft after publishing its analysis this week, indicating Microsoft is working on a solution.
“First, the log in event will be populated to Azure AD sign-ins logs. Second, organisations will be given an option to enable or disable the endpoint in question. These should be available for organisations in the next couple of weeks,” Syynimaa told Ars.
Azure AD also comes with a “Smart Lockout” feature designed to automatically lock accounts that are being targeted for a certain amount of time if too many log-in attempts are detected.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.