Windows 365 Cloud PC could reveal Azure credentials to hackers

Windows 365 Cloud PC could reveal Azure credentials to hackers

Image:
Windows 365 Cloud PC could reveal Azure credentials to hackers

An open-source tool can take advantage of the previously-disclosed PrintNightmare bug to steal credentials in plaintext

Microsoft announced general availability of its new Windows 365 Cloud PC service earlier this month, and now a security researcher claims to have discovered a bug that malicious actors could exploit to extract users' Azure credentials in unencrypted plain text.

Benjamin Delpy said he used the open-source Mimikatz software - which he created - to extract Azure credentials from Windows 365.

In a video posted on Twitter, Benjamin showed how anyone with access to a users' system can steal their Azure password.

https://twitter.com/gentilkiwi/status/1424123713969172481?ref\\_src=twsrc%5Etfw

Delpy told Bleeping Computer that Microsoft offered him a free trial of Windows 365 service, and he used the account to test the service's security. He said Windows 365 failed to stop Mimikatz from extracting the Microsoft Azure email address and passwords, in plaintext, for logged-in users.

The exploit took advantage of another security bug, called PrintNightmare, which he also discovered earlier this year.

Delpy said Mimikatz, after exploiting PrintNightmare bug, enabled him to dump the credentials into a Terminal Server.

While a user's Terminal Server credentials are encrypted when stored in memory, Delpy said he could trick the Terminal Service process into decrypting them for him.

Bleeping Computer also tested the Windows 365 vulnerability using a Windows 365 trial account and found it exposing Azure credentials.

While the vulnerability requires administrative privileges to exploit, it is still concerning for users.

Delpy said he would normally recommend using security features such as two-factor authentication (2FA), Windows Hello, smart cards and Windows Defender Remote Credential Guard to protect credentials. However, these features are not yet available in Windows 365.

Microsoft announced Windows 365 on 2nd August, saying it would enable users to connect to an always-on cloud PC from anywhere with an internet connection, via a browser.

Microsoft designed Windows 365 Cloud PC to fulfil the growing demands of hybrid work environments, with employees dividing their time between the office and home.

It offers a computing experience through a web browser or a native app, on any device with an active Internet connection.

Pricing for the subscription-based service starts at $20 per user per month, and goes up to $158.

The entry-level $20 per user per month Business plan provides a Cloud PC with a single virtual core, 2 GB of RAM and 64 GB of storage. It requires the Windows Hybrid Benefit.

Those without an existing licence will pay $4 more per user per month.

The most expensive $158 per user per month option ($162 without an existing licence) provides 8 virtual cores, 32 GB of RAM, and 512 GB of storage.