PoC vulnerability released against Azure AD brute force cracking vulnerability-this is what to do

Read Time:3 Minute, 33 Second


PoC vulnerability released against Azure AD brute force cracking vulnerability-this is what to do

Targeted by Secureworks and First report Through Ars. The vulnerability allows anyone to perform username enumeration and password brute force cracking on vulnerable Azure servers. Although Microsoft initially referred to the Autologon mechanism as a “design” choice, it now appears that the company is working on a solution.

The PoC script is published on GitHub

Yesterday, a “password spray” PoC exploit was released for the brute force cracking of Azure Active Directory GitHubThe PowerShell script has only more than 100 lines of code, mainly based on previous job Author: Dr. Nestori Syynimaa, Senior Principal Security Researcher at Secureworks.

According to the Counter-Threat Unit (CTU) of Secureworks, as proven by the PoC, it is very easy to exploit this vulnerability (for example, to confirm user passwords through brute force cracking). However, organizations that use conditional access policies and multi-factor authentication (MFA) may benefit from blocking access to services through username/password authentication. “So even if the threat actor can get [a] The user’s password, they may not be [able to] Use it to access the organization’s data,” Syynimaa told Ars in an email interview.

What can organizations do to protect themselves?

Although this week Secureworks disclosed the Azure AD brute force problem, some researchers seem to have known the Azure AD brute force problem, including researcher Dirk-jan:

Microsoft told Ars that the technology presented by Secureworks does not constitute a security breach and has taken steps to protect Azure users:

“We have reviewed these statements and determined that the described technology does not involve security vulnerabilities, and protective measures are in place to help ensure customers stay safe,” a Microsoft spokesperson told Ars. After reviewing the initial article by Secureworks, Microsoft concluded that protections against brute force attacks have been applied to the endpoints described to protect users from such attacks.

In addition, Microsoft stated that the token issued by WS-Trust usernamemixed The endpoint does not provide access to the data and needs to be returned to Azure AD to obtain the actual token. “All such requests for access tokens are protected Conditional access, Azure AD multi-factor authentication, Azure AD identity protection And surfaced Login log,“Microsoft concluded in its statement to Ars.

However, Secureworks also shared other insights it gained from Microsoft in the release analyze This week, this shows that Microsoft is working on a solution.

“First, login events will be populated into Azure AD login logs. Second, organizations will have the option to enable or disable related endpoints. These should be available to organizations in the next few weeks,” Syynimaa told Ars.

Security Solutions Architect Nathan McNulty It has been reported to see a successful login event appearing in the login log:

Azure AD also comes with a “Smart lock“A function designed to automatically lock the target account for a period of time when too many login attempts are detected.

“When locked, the error message is always’locked’ regardless of [of the password being correct or not]Therefore, the feature seems to effectively prevent brute force cracking,” Syynimaa further shared with Ars. “However, password spraying, where multiple accounts target several passwords, is likely not to be blocked by smart lock. “

Syynimaa’s recommendation to organizations seeking a solution to this attack is to adjust the number of failed authentications before Smart Lockout activates and locks the account. “Setting the value to low (such as 3) helps prevent password spraying, but it may also be too easy to lock the account during daily use.” Adjusting the lockout time is another option.



Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %