A public proof-of-concept (PoC) vulnerability has been released for the brute force flaw of Microsoft Azure Active Directory credentials discovered by Secureworks and first reported by Ars. The exploit allows anyone to perform both username enumeration and password brute force on vulnerable Azure servers. Although Microsoft had initially called the Autologon mechanism a “design” option, it appears that the company is now working on a fix.
PoC script released on GitHub
Yesterday, a “password pulverization” PoC exploit for the Azure Active Directory brute force flaw was released in GitHub. The PowerShell script, a little over 100 lines of code, relies heavily on previous work by Dr. Nestori Syynimaa, Principal Security Researcher at Secureworks.
POC just appeared for SSO spray https://t.co/Ly2AHsR8Mr
– rvrsh3ll (@ 424f424f) September 29, 2021
According to the Secureworks Threat Unit (CTU), exploiting the flaw, such as confirming user passwords through brute force, is pretty easy, as the PoC shows. However, organizations using Conditional Access and Multi-Factor Authentication (MFA) policies can benefit from blocking access to services through username / password authentication. “Therefore, even when the threat actor can get [a] user password, may not [able to] use it to access the organization’s data, “Syynimaa told Ars in an email interview.
What can organizations do to protect themselves?
Although publicized after Secureworks’ disclosure this week, the Azure AD brute force issue appears to have been previously known to some researchers, including researcher Dirk-jan:
It is quite interesting that I reported this same issue in December 2020 for @msftsecresponse, the last I heard is that it is still in development to fix it. It is quite strange that other people get a different verdict on the same issue. https://t.co/2EtfEIM5BE
– Dirk-jan (@_dirkjan) September 28, 2021
Microsoft told Ars that the technique demonstrated by Secureworks does not constitute a security vulnerability and that measures already exist to keep Azure users protected:
“We have reviewed these claims and determined that the described technique does not involve a security vulnerability and protections are in place to help ensure that customers remain safe and secure,” a Microsoft spokesperson told Ars. After reviewing the initial wording of Secureworks, Microsoft concluded that brute force attack protections already apply to the described endpoints, thus protecting users against such attacks.
Also, Microsoft says, tokens issued by WS-Trust
usernamemixed endpoints do not provide access to the data and must be presented back to Azure AD to get the actual tokens. “All these requests for access tokens are protected by Conditional access, Azure AD multi-factor authentication, Azure AD identity protection and appeared in login records,“Microsoft concluded in its statement to Ars.
But Secureworks also shared additional information it received from Microsoft after posting its analysis this week, indicating that Microsoft is working on a fix.
“First, the sign-in event will complete in the Azure AD sign-in logs. Second, organizations will have the option to enable or disable the endpoint in question. These should be available to organizations where they are next few weeks, “Syynimaa told Ars.
Security Solutions Architect Nathan McNulty Successful login events have already been reported to appear in login logs:
Amazing work from the Azure Identity team!
They have already added the success audit log for the WS-Trust MEX endpoint to the non-interactive login logs (no failures yet)
Get-AzureADAuditSignInLogs doesn’t seem to show what is displayed in the Graph API (good news for SIEM) 🙂 https://t.co/A130Uh7OeY
– Nathan McNulty (@NathanMcNulty) September 29, 2021
Azure AD also includes a “Smart lock“feature designed to automatically block accounts that are under attack for a certain period of time if too many login attempts are detected.
“When locked, the error message is always ‘locked’, regardless [of the password being correct or not]. As such, the feature appears to effectively block brute force, “Syynimaa shared with Ars.” However, Smart Lockout probably won’t block password propagation, where multiple accounts are being targeted with just a few passwords. “
Syynimaa’s advice for organizations looking for a solution against this attack is to adjust the number of failed authentications before Smart Lockout is activated and locks the accounts. “Setting the value to a low value (like 3) helps prevent password propagation as well, but it can also lock accounts too easily during normal daily use.” Adjusting the lockout time is another option.