No Fix For Azure Active Directory Password Brute-Forcing Bug

Share post:

Researchers from the Secureworks Counter Threat Unit (CTU) discovered a flaw in the protocol of the Azure Active Directory Seamless Single Sign-On service.

According to the researchers, this bug allows threat actors to conduct one-factor brute-force attacks against Azure Active Directory without generating login events in the target organization.

Azure AD Seamless SSO service automatically logs users into their corporate devices connected to their workplace network. If Seamless SSO is enabled, users do not need to enter their passwords or even their username to log in to Azure AD.

This is where the vulnerability starts. Autologon attempts to authenticate the user to Azure AD according to the provided credentials. If the username and password match, authentication succeeds and the Autologon service responds with XML output bearing an authentication token, also called DesktopSSOToken. This is then sent to Azure AD. If authentication is unsuccessful, an error message is generated.

These error codes, some of which are not properly logged, are able to help threat actors carry out undetected brute-force attacks.

The CTU researchers explain that successful authentication events generate sign-ins, but Autologon authentication to Azure AD is unlogged. This omission allows threat actors to utilize the username mixed endpoint for undetected brute-force attacks.

The vulnerability is not limited to organizations using Seamless SSO. “Threat actors can exploit the autologon usernamemixed endpoint in any Azure AD or Microsoft 365 organization, including organizations that use Pass-through Authentication (PTA),” although users without Azure AD passwords are not affected, according to the researchers.

Since the success of a brute-force attack depends heavily on the password strength, Secureworks classifies the error as “medium” in a draft.

Currently, there are no fixes or workarounds to stop the use of the usernamemixed endpoint. Secureworks points out that the use of multi-factor authentication and conditional access cannot prevent exploitation, as these mechanisms only occur after successful authentication.

For more information, read the original story in Ars Technica.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways