Posted on October 2, 2021 at 5:26 PM
Bug on Microsoft Azure AD can be exploited to Give Hackers Access to Devices
Hackers keep coming up with new ways of attacking devices. One of the most concerning factors about the latest strategies being used by hackers is that most of them are developing software that makes it possible to avoid detection.
A recent report by cybersecurity researchers has identified an unpatched security vulnerability on the systems used by Microsoft Azure Active Directory. Cybersecurity experts have stated that threat actors can exploit this vulnerability to launch brute-force attacks that go undetected.
Commenting on this vulnerability, researchers from Secureworks Counter Threat Unit (CTU) stated that, “This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant.”
Vulnerability on Azure Active Directory
The Microsoft Azure Active Directory is an enterprise cloud-based identity and access management (IAM) solution. This solution has been created for use in single sign-on (SSO) and multi-factor authentication processes. The feature is also among the most core components of Microsoft 365, formerly known as Office 365. One of the uses of this feature is to provide an authentication platform to other Microsoft applications using OAuth.
The vulnerability detected by the research team is based on the Seamless Single Sign-On feature. Corporates mainly use this feature as it enables employees to access accounts when they are using corporate devices automatically. The feature allows an employee to sign in without using the password as long as they are connected to the enterprise network.
The seamless SSO feature does not work all the time. If the process fails, the employee will be required to go back to the default way of accessing their accounts. They will be required to key in their passwords on the log-in page.
To ensure that the device functions in both the automated and default ways, it used the Kerberos protocol that looks up the corresponding user features in Azure AD. It later issues a ticket-granting ticket (TGT) that allows users to access the device or account in question.
However, this is not the process followed in all Microsoft devices because users who use Exchange Online with Office clients older than Office 2013 and have not installed the May 2015 update use the “UserNameMixed” feature. This feature is a password-based endpoint that allows the device to generate an access token or an error code. The response of this feature will depend on whether the credentials that the user has provided are genuine.
The vulnerability in question stems from these error codes on this second feature used by older devices. When a user uses the correct credentials to access the device, they will receive sign-in logs that will lead to the deployment of access tokens.
However, when the “Autologon’s authentication to Azure AD is not logged”, it will create an omission that a threat actor can leverage. This will create an opportunity for launching a brute-force attack using the UserNameMixed endpoint.
Microsoft Acknowledged Vulnerability
When Secureworks realized the vulnerability, it informed Microsoft on the matter immediately. However, Microsoft was late in acknowledging the vulnerability because Secureworks informed it on June 29 but only acknowledged the issue on July 21, a month later.
In its response, Microsoft stated that the vulnerability was “by design”. In an additional response, Microsoft stated that “We’ve reviewed these claims and determined the technique describes does not involve a security vulnerability and protections are in place to help ensure customers remain safe and secure.”
In short, Microsoft stated that the possibility of a brute-force attack being launched using this vulnerability was minimal, but the company had installed the necessary measures in place to ensure that its users are kept safe and are not exposed to any such attacks.
Microsoft also stated that measures had also been put in place to protect clients from brute-force attacks. The protection measures had been installed in the mentioned endpoints; hence users, especially corporates using Azure AD, did not have anything to worry about regarding the matter.
The tech giant further stated that tokens issued using the UserNameMixed API did not allow users to gain access to data. Moreover, the firm stated that for data access to be granted, the tokens issued needed to be presented back to the Azure AD, which later enabled them to access the actual tokens.
“Such requests for access tokens are protected by Conditional Access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection and surfaces sign-in logs,” Microsoft stated. This demonstrated that the possibility of a corporate’s data being compromised by threat actors using this vulnerability was close to impossible.