Cybersecurity is a constant battle between corporations implementing defensive mechanisms and malicious actors who are evolving to break them. This is even more problematic when a software developed by a big organization such as Microsoft is used by thousands of firms around the globe. Just a month ago, we learned that there is a now-patched flaw in Azure Cosmos DB, which potentially gave unrestricted access to data belonging thousands of corporations. Now, security researchers are issuing warnings about an alleged design weakness in Azure Active Directory (AAD) that allows single-factor brute-force attack.
As spotted by UK publication Computing, a security bulletin by researchers over at Secureworks Counter Threat Unit (CTU) indicates that there is a flaw in AAD which allows attackers to attempt single-factor brute-force attacks on a tenant. While this is problematic on its own, CTU also says that none of the sign-in events are logged. The security team says that Azure AD uses Windows' Kerberos protocol to provide seamless single sign-on (SSO), as shown in the diagram below:
While there is no problem in the flow above, CTU says that there is also an intermediate autologon usernamemixed endpoint that is utilized for username and password authentication. Its flow is as follows:
CTU points out that even though logs are generated for successful sign-in at the end of step 3, there are no logs at all during step 2 when autologon is authenticating credentials. What this essentially means is that an attacker can use the usernamemixed endpoint for single-factor brute-force attacks and an organization won't know that they are being targeted. The malicious actor could eventually be able to sign in without there being a trace of their failed attempts. Since thresholds for auto-lockouts are based on logs, no mechanism against multiple failed login attempts is triggered either. CTU further described that:
CTU analysis indicates that the autologon service is implemented with Azure Active Directory Federation Services (AD FS). Microsoft AD FS documentation recommends disabling internet access to the windowstransport endpoint. However, that access is required for Seamless SSO. Microsoft indicates that the usernamemixed endpoint is only required for legacy Office clients that predate the Office 2013 May 2015 update.
The exploitation is not limited to organizations using Seamless SSO. Threat actors can exploit the autologon usernamemixed endpoint in any Azure AD or Microsoft 365 organization, including organizations that use Pass-through Authentication (PTA). Users without an Azure AD password are not affected.
SecureWorks CTU reported the apparent flaw to Microsoft on June 29 and the company confirmed the existence of this behavior on July 21. However, the Redmond tech giant interestingly stated that this is the intended behavior and not really a flaw. The obvious implication is that the company won't be taking any steps to fix it.
CTU has concluded that there are no known mitigations to block the endpoint if you want to do seamless SSO on AAD. The security team says that multi-factor authentication (MFA) and conditional access (CA) are ineffective because they are applied after successful authentication. We have reached out to Microsoft for further clarification on the matter and will update when the company responds.
Update: In a statement to Neowin, Microsoft has confirmed that the company already has other protections in place to mitigate brute-force attacks. A spokesperson stated that:
We’ve reviewed these claims and determined the technique described does not involve a security vulnerability and protections are in place to help ensure customers remain safe and secure.
Microsoft has also emphasized that the usernamemixed endpoint does not directly give access to data either. Access tokens are further protected by MFA, CA, and AAD Identity Protection and are shown in sign-in logs.