Undetected Brute force attacks in Microsoft Azure AD.

Hello World!

Recently Security Researchers have released a PoC (proof-of-concept) exploit that allows for username enumeration and password brute-forcing on vulnerable Microsoft Azure servers, more specifically Azure active directory. Is is able to do this by taking advantage of weaknesses that lie within the Autologon mechanism.

Let’s do a quick breakdown on some of these words here, for those who are unsure –

Exploit – An exploit is something that is designed to take advantage of a single or sometimes multiple weaknesses within another person or device, however it is a universal term and not limited to only people or computer systems.

Enumeration – Enumeration is the process of identification, categorization and documentation. Here we are using it to refer to username enumeration, this in simple terms means “gathering a list of usernames.” This can be achieved with various methods and again isn’t necessarily technical.

Brute-forcing – Let’s take a PIN number on a phone for example, if you have no idea what it might be, but you continue to guess every combination possible until you get it right, you’ve brute-forced it.

Lockout – Not mentioned in the first paragraph but is essential to understanding brute-force attacks and the most simple mechanism to stop them… Lockouts, so the phone we brute-forced was an example. In case you’ve never seen what a lockout looks like, try inputting the wrong password/pin into your phone a few times (Not too much because the lockout will increment up to around 24 hours.) This mechanism detects incorrect input and assumes you are not authorized, should you incorrectly input your username/password multiple times, then you will be blocked from further attempts for X amount of time. (And there should be a log the administrators can see that will show ALL successful/unsuccessful attempts and provide further info.)

Active Directory – I took this one from techterms.com as Active Directory and Azure Active directory are a lot to take in and I really don’t want to scare non-technical users with lots of different names to remember, click the link and it’ll show more information, but still only scratches the surface.

“Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers. Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.”

Azure – Azure is Microsoft’s Cloud Platform, its what AWS is to Amazon. Essentially cloud means off-site, however there are many different models that are used such as SaaS and PaaS. Additionally attackers use the cloud and have been seen operating RaaS (Ransomware as a service).

“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” researchers from Secureworks Counter Threat Unit (CTU) said in a report published on Wednesday.

It would appear that this vulnerability affects Office clients older than the Office 2013 May 2015 update, it also seems that these older versions do not use Kerberos. Instead in order to carry out authentication a password-based endpoint called “UserNameMixed” is used instead, either generating an access token or an error code based on the input from the user.

So here’s the problem and we will come back to where Autologon plays a role in this… Whilst successful sign-ins generate logs when they send the access tokens, authentication from Autologon to Azure AD is not logged, this allows attackers to leverage this fact around the logging in order to carry out password spraying/brute force attacks without generating logs. (Password spraying is a type of brute-forcing but involves more guessing, for example trying the known default credentials for admin accounts, or using usernames found elsewhere in an attack to really cut down the amount of attempts needed, sometimes this can be used to just brute force one field, where the other is known as a constant.)

Finally let’s see how the vendor responded… “Secureworks said it notified Microsoft of the issue on June 29, only for Microsoft to acknowledge the behaviour on July 21 as “by design.” ” Oh okay! Ambiguous and puzzling… nothing new here.

Sources: https://arstechnica.com/information-technology/2021/09/poc-exploit-released-for-azure-ad-brute-force-bug-heres-what-to-do/ https://thehackernews.com/2021/09/new-azure-ad-bug-lets-hackers-brute.html