PoC exploit released for Azure AD brute-force bug—here’s what to do

Enlarge (credit: Michael Dziedzic)

A public proof-of-concept (PoC) exploit has been released for the Microsoft Azure Active Directory credentials brute-forcing flaw discovered by Secureworks and first reported by Ars. The exploit enables anyone to perform both username enumeration and password brute-forcing on vulnerable Azure servers. Although Microsoft had initially called the Autologon mechanism a “design” choice, it appears, the company is now working on a solution.

PoC script released on GitHub

Yesterday, a “password spraying” PoC exploit was published for the Azure Active Directory brute-forcing flaw on GitHub. The PowerShell script, just a little over 100 lines of code, is heavily based on previous work by Dr. Nestori Syynimaa, senior principal security researcher at Secureworks.

POC just popped for the SSO spray https://t.co/Ly2AHsR8Mr

— rvrsh3ll (@424f424f) September 29, 2021

According to Secureworks’ Counter Threat Unit (CTU), exploiting the flaw, as in confirming users’ passwords via brute-forcing, is quite easy, as demonstrated by the PoC. But, organizations that use Conditional Access policies and multi-factor authentication (MFA) may benefit from blocking access to services via username/password authentication. “So, even when the threat actor is able to get [a] user’s password, they may not be [able to] use it to access the organisation’s data,” Syynimaa told Ars in an email interview.

Read 10 remaining paragraphs | Comments