Azure Active Directory bug lets hackers attempt brute force attacks without getting caught
Microsoft thinks it is behaviour 'by design'
Researchers at Secureworks Counter Threat Unit (CTU) have published a security advisory warning of a weakness in the Microsoft Azure Active Directory (AD) implementation which could allow threat actors to attempt single-factor brute-force attack to compromise a user's AD credentials, without getting caught.
According to the researchers, these attempts to enter the username and password are not logged in the server, leaving admins with little to no visibility into malicious actions of the attackers.
Azure AD is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It is the backbone of the Office 365 system, can sync with on-premise Active Directory.
The CTU team discovered the flaw in June, which existed in the protocol for Azure AD Seamless Single Sign-On (SSO) service that enables users to automatically sign in to their corporate devices connected to their organisation's network.
When enabled, users don't need to key in their passwords, or usually even their usernames, to sign in to Azure AD.
According to Microsoft, the feature provides users easy access to their organisation's cloud-based applications without needing any additional on-premises components.
And like many Windows services, Seamless SSO relies on the Kerberos protocol for user authentication.
The CTU researchers said the Azure AD bug allows threat actors to perform single-factor brute-force attacks against Azure AD, without those large-scale login attempts being logged in the target host's systems. As a result, these attacks remain undiscovered.
According to researchers, most security tools aimed at detecting password spraying or brute-force attacks rely on sign-in event logs and try to find specific error codes. That is why having no visibility into the failed login attempts is a serious issue in terms of security.
CTU team says they notified Microsoft about the flaw in June, which also confirmed the behaviour, but said that it was 'by design'.
And it is not only the SSO service for Azure AD that is vulnerable to brute-force attacks. Cyber actors may also abuse the weakness for any other Azure AD or Microsoft 365 environment, including environments that use Pass-through Authentication (PTA).
Because Microsoft considers the weakness a design choice, it remains unclear if the issue would be fixed by the company.
Last month, CTU researchers said that they carried out an investigation in May and found a bug in the protocol used by Azure Active Directory (AD) Connect Health agent for AD Federation Services (AD FS) to send AD FS sign-in events to Azure AD.
The researchers noted that a threat actor with local administrator access to the AD FS server could exploit the flaw to tamper with Azure AD sign-ins log events or pollute the sign-in log with fake sign-in events to hide unauthorised authentication events.
Earlier this month, Microsoft released a security update to plug a hole in its Azure Container Instances (ACI) service that could have allowed malicious actors to access customers' information.