Microsoft believes this is not a security risk, but it is working to address it. Abuse has been reported by Ars to enable anyone to do both server username and password on vulnerable Azure servers. Although Microsoft initially called the Autologon mechanism a "Design" option, it appears that the company is now working on a solution.
PoC script released on GitHubREAD MORE New massively detectable Azure Active Directory password bug fixes deployed on GitHub in PowerShell script, just over 100 lines of code, based in Predominately to the previous work of Dr. Nestori Sienema, Chief Security Officer at Secureworks.
POC appeared only for SSO spray https://t.co/Ly2AHsR8Mr
- rvrsh3ll (@424f424f) Sep 29, 2021
By Threat Unit (Considered a unit Secureworks' anti-threat (CTU) is very easy to use, such as ruthlessly checking users' passwords, as demonstrated by the PoC.However, organizations that use Conditional Access and Multi-Factor Authentication (MFA) policies may benefit from blocking access to services from During username/password authentication, Syynimaa told Ars in an interview with Ars: “So, even when a threatening actor is able to obtain a user’s password, he [may not] be able to use it to access the organization’s data.”
What can organizations do to protect themselves?
Interestingly enough, I reported this to msftsecresponse in December 2020, and the last I heard was that it was still being developed to fix the issue. Other people vote differently on the issue https://t.co/2EtfEIM5BE
-Dirk-jan (_dirkjan) Sep 28, 2021
Microsoft told Ars that the technology that Secureworks has demonstrated that this is not a vulnerability and that actions are being taken to protect Azure users:Advertising
The technology described does not include vulnerabilities, and protections are in place to ensure customer safety. A Microsoft spokesperson told Ars. After reviewing the initial writing of Secureworks, Microsoft concluded that protection against malicious attacks is currently in place at the described endpoints, thus protecting users from such attacks.
In addition, Microsoft says, mixed tokens issued by the WS-Trust are in use. The endpoint does not provide access to the data and must be provided to Azure AD to get the real tokens. “All of these access token requests are protected by Conditional Access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection, and Login,” Microsoft said in a statement to Ars. But Secureworks also shared other information it received from Microsoft after releasing its analysis this week, indicating that Microsoft is working on a solution. Syynimaa told Ars.
Security Solutions Architect Nathan McNulty previously reported. View successful login events Login:
Great work from the Azure Identity team!
They have already added a successful audit to the WS-Trust MEX endpoint - login (no problem yet)
Get-AzureADAuditSignI to NLogs doesn't show up in Graph API (good news for SIEM) :) https://t.co/A130Uh7OeY
- NathanMcNulty September 29, 2021
"When locked, the error message is always 'locked', regardless of whether the password is correct or not. Suddenly," Syynimaa shared with Ars. “However, password hacking, as many accounts with passwords are targeted, is unlikely to be blocked by Smart Lockout. Syynimaa advises organizations looking for a solution to this attack to set up a number of failed authentication before setting up Smart Lockout and locking accounts Setting a small amount (such as 3) also helps prevent password hacking, but may lock accounts very easily during normal daily use. Setting the lock time is another option.
PoC abuse released for Azure AD brute force bugs - what to do here
At least since 2019, popular YouTube channels have been tak...
Britain's COVID Pass card system was suspended for hours o...
Several Visible Wireless subscribers reported having their accounts ...
This is the story of the mastermind behind one of the largest "fake news" op...
Twitch's live video streaming service has been hacked and 125GB...