Azure CLI Password Spray Campaign Compromises Microsoft Accounts Through Legacy OAuth Flow

Azure CLI Password Spray Campaign Compromises Microsoft Accounts Through Legacy OAuth Flow

Cybersecurity researchers have identified a large scale automated password spray campaign targeting Microsoft Azure command line interface, resulting in the compromise of at least 78 Microsoft user accounts across 64 organizations. According to Huntress, the activity occurred between June 12 and June 26, during which threat actors launched more than 81 million login attempts against Azure environments. Researchers said the attacks originated primarily from the IPv6 address range 2a0a:d683::/32, which is associated with internet infrastructure provider LSHIY LLC under Autonomous System AS32167. The campaign did not appear to focus on any particular industry or business sector. Instead, Huntress found that targets were selected based on the presence of usernames and passwords contained in previously compromised credential combination lists, making any organization with reused or unrotated credentials a potential target regardless of its size or line of business.

Researchers noted that one of the most significant aspects of the campaign was its ability to compromise accounts even in environments where Conditional Access Policies had been deployed. The attackers achieved this by exploiting Resource Owner Password Credentials, commonly known as ROPC, which is a legacy OAuth 2.0 authentication flow that has since been deprecated in OAuth 2.1. ROPC allows users to submit usernames and passwords directly to a client application, which then exchanges those credentials for an access token from the authorization server. Microsoft has consistently advised organizations against using this authentication method because it is incompatible with multi factor authentication and requires a high level of trust in the client application. According to Microsoft, more secure authentication methods are available and should be adopted wherever possible. Huntress explained that because ROPC bypasses the standard authorization endpoint where Conditional Access Policies are typically enforced, attackers were able to circumvent security controls that were not configured to protect Azure CLI logins using this legacy authentication mechanism.

The campaign showed a gradual increase in successful compromises throughout the observed period. Between June 12 and June 21, researchers recorded an average of two to four compromised accounts each day, with June 19 seeing twelve successful account compromises. Activity increased significantly on June 22, when attackers successfully compromised thirty user identities across twenty three organizations in a single day. Overall, Huntress confirmed seventy eight compromised user accounts affecting sixty four organizations. Most malicious login attempts originated from infrastructure linked to LSHIY LLC, although some source addresses were traced to locations in the United States while others resolved to China. Huntress also reported a sharp increase in credential spray activity across its customer base, stating that such attacks have grown by more than one hundred fifty five times in recent months. The company observed that customers are now experiencing an average of approximately one thousand nine hundred sixty four failed credential attacks every month for each protected tenant, with activity increasing noticeably from late May through early June.

According to Huntress, the attackers primarily relied on old username and password combinations that had previously been exposed in data breaches but were never updated by users or organizations. Researchers identified several common security configuration gaps that enabled successful compromises despite the presence of multi factor authentication. These included applying multi factor authentication only to selected cloud applications rather than all cloud applications, limiting protection to administrative user groups, and triggering authentication challenges only when login attempts originated from untrusted locations. Huntress also found that eight organizations affected during the campaign had no multi factor authentication policy enabled at all. The company emphasized that the findings should not be interpreted as evidence that multi factor authentication is ineffective. Instead, organizations should ensure that Conditional Access Policies are configured to cover all users, all cloud applications, and all client application types, while restricting Azure CLI access for non administrative users where appropriate. Researchers added that legacy authentication methods such as ROPC should be eliminated because they can create security gaps that allow credential based attacks to bypass improperly configured access controls and gain unauthorized access to enterprise cloud environments.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem. 

Post Comment