A public proof-of-concept (PoC) exploit has been released for Microsoft Azure Active Directory credentials brute-forcing errors detected by Secureworks and first reported by Ars. The exploit enables anyone to perform both username counting and password brute force on vulnerable Azure servers. Although Microsoft originally called the Autologon mechanism a “design” option, it now appears that the company is working on a solution.
PoC script published on GitHub
Yesterday, a “password spraying” PoC exploit for Azure Active Directory brute-force error was released on GitHub. The PowerShell script, just over 100 lines of code, is heavily based on previous work by Dr. Nestori Syynimaa, senior security researcher at Secureworks.
POC appeared right up to the SSO spray https://t.co/Ly2AHsR8Mr
– rvrsh3ll (@ 424f424f) September 29, 2021
According to Secureworks ‘Counter Threat Unit (CTU), it is quite easy to exploit the error, as by confirming users’ passwords via brute-forcing, as stated by PoC. However, organizations that use conditional access policy and multi-factor authentication (MFA) may benefit from blocking access to services through username / password authentication. “So even when the threat actor is able to come [a] user password, they may not be [able to] use it to access the organization’s data, “Syynimaa told Ars in an email interview.
What can organizations do to protect themselves?
Although released after Secureworks’ unveiling this week, it appears that the Azure AD brute-force problem has been known in the past among some researchers, including researcher Dirk-jan:
Interestingly, I reported this particular issue in December 2020 to @msftsecresponse, the latest I have heard is that it is still under development for a solution. Quite strange that other people get a different verdict on the same issue. https://t.co/2EtfEIM5BE
-Dirk-jan (@_dirkjan) September 28, 2021
Microsoft told Ars that the demonstrated technology from Secureworks does not pose a security risk and that measures are already in place to protect Azure users:
“We have reviewed these claims and determined that the technology described does not pose a security risk and that protection is in place to ensure that customers remain safe,” a Microsoft spokesman told Ars. After reviewing Secureworks’ initial revaluation, Microsoft concluded that protection against brute-force attacks already applies to the described endpoints, thereby protecting users from such attacks.
In addition, Microsoft says tokens issued by WS-Trust
usernamemixed endpoint does not provide access to data and must be presented back to Azure AD to get the actual tokens. “All such token requests are then protected by conditional access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection and displayed in log-logs,” Microsoft concluded in its statement to Ars.
But Secureworks also shared additional insights it received from Microsoft after publishing its analysis this week, indicating that Microsoft is working on a solution.
“First, the log-in event will be populated to Azure AD log-in logs. Second, organizations will be able to enable or disable that endpoint. These should be available to organizations in the next few weeks,” Syynimaa told Ars.
Architect for security solutions Nathan McNulty already reported to see successful login events appear in log-in logs:
Great work from the Azure Identity team!
They have already added success audit logging for the WS-Trust MEX endpoint to the non-interactive log-in logs (no errors yet)
Get-AzureADAuditSignInLogs does not appear to show in Graph API (good news for SIEMs) 🙂 https://t.co/A130Uh7OeY
– Nathan McNulty (@NathanMcNulty) September 29, 2021
Azure AD also comes with a “Smart Lockout” feature designed to automatically lock accounts that are targeted for a specific period of time if too many log-in attempts are detected.
“When locked out, the error message is always ‘locked’ regardless [of the password being correct or not]. As such, it appears the function effectively blocks brutal coercion, “Syynimaa shared further with Ars.” However, password spraying, where multiple accounts are targeted with a few passwords, is unlikely to be blocked by Smart Lockout. “
Syynimaa’s advice to organizations looking for a solution to this attack is to adjust the number of failed approvals before Smart Lockout will start and lock accounts. “Setting the value to low (like 3) also helps prevent passwords from being sprayed, but can also lock accounts too easily during normal daily use.” Adjusting the lockout time is another option.