Targeted by Secureworks and First report Through Ars. The vulnerability allows anyone to perform username enumeration and password brute force cracking on vulnerable Azure servers. Although Microsoft initially referred to the Autologon mechanism as a “design” choice, it now appears that the company is working on a solution.
The PoC script is published on GitHub
Yesterday, a “password spray” PoC exploit was released for the brute force cracking of Azure Active Directory GitHubThe PowerShell script has only more than 100 lines of code, mainly based on previous job Author: Dr. Nestori Syynimaa, Senior Principal Security Researcher at Secureworks.
POC just appeared in the SSO spray https://t.co/Ly2AHsR8Mr
— Rvrsh3ll (@424f424f) September 29, 2021
According to the Counter-Threat Unit (CTU) of Secureworks, as proven by the PoC, it is very easy to exploit this vulnerability (for example, to confirm user passwords through brute force cracking). However, organizations that use conditional access policies and multi-factor authentication (MFA) may benefit from blocking access to services through username/password authentication. “So even if the threat actor can get [a] The user’s password, they may not be [able to] Use it to access the organization’s data,” Syynimaa told Ars in an email interview.
What can organizations do to protect themselves?
Although this week Secureworks disclosed the Azure AD brute force problem, some researchers seem to have known the Azure AD brute force problem, including researcher Dirk-jan:
Interestingly, I reported to @msftsec response, The latest news I heard is that it is still under development to be fixed. It is strange that other people get different judgments on the same issue. https://t.co/2EtfEIM5BE
— Dekjan (@_dirkjan) September 28, 2021
Microsoft told Ars that the technology presented by Secureworks does not constitute a security breach and has taken steps to protect Azure users:
“We have reviewed these statements and determined that the described technology does not involve security vulnerabilities, and protective measures are in place to help ensure customers stay safe,” a Microsoft spokesperson told Ars. After reviewing the initial article by Secureworks, Microsoft concluded that protections against brute force attacks have been applied to the endpoints described to protect users from such attacks.
In addition, Microsoft stated that the token issued by WS-Trust
usernamemixed The endpoint does not provide access to the data and needs to be returned to Azure AD to obtain the actual token. “All such requests for access tokens are protected Conditional access, Azure AD multi-factor authentication, Azure AD identity protection And surfaced Login log,“Microsoft concluded in its statement to Ars.
However, Secureworks also shared other insights it gained from Microsoft in the release analyze This week, this shows that Microsoft is working on a solution.
“First, login events will be populated into Azure AD login logs. Second, organizations will have the option to enable or disable related endpoints. These should be available to organizations in the next few weeks,” Syynimaa told Ars.
Security Solutions Architect Nathan McNulty It has been reported to see a successful login event appearing in the login log:
Great work of the Azure Identity team!
They have added the successful audit log of the WS-Trust MEX endpoint to the non-interactive login log (not yet failed)
Get-AzureADAuditSignInLogs does not seem to show that it is indeed displayed in the graph API (good news for SIEM) 🙂 https://t.co/A130Uh7OeY
— Nathan McNulty (@NathanMcNulty) September 29, 2021
Azure AD also comes with a “Smart lock“A function designed to automatically lock the target account for a period of time when too many login attempts are detected.
“When locked, the error message is always’locked’ regardless of [of the password being correct or not]Therefore, the feature seems to effectively prevent brute force cracking,” Syynimaa further shared with Ars. “However, password spraying, where multiple accounts target several passwords, is likely not to be blocked by smart lock. “
Syynimaa’s recommendation to organizations seeking a solution to this attack is to adjust the number of failed authentications before Smart Lockout activates and locks the account. “Setting the value to low (such as 3) helps prevent password spraying, but it may also be too easy to lock the account during daily use.” Adjusting the lockout time is another option.