Let’s be honest, the laundry list of passwords that you likely have both personally and professionally is just a pain. Maybe to make things quicker and easier (and we are hoping this is NOT the case), you’ve chosen to use the same password, or a derivate thereof for multiple logins. We beg you… DON’T DO THIS! If this is you, it is likely that password has already been leaked and a hacker might guess in the first few tries (check out https://haveibeenpwned.com/).
On the flipside, we know you have stepped up your password policy game and you’ve stopped using “1234” and “password” long ago. Maybe you employ a password manager and your business requires 2FA or MFA. All of this is GREAT!
But what happens when hackers can bypass your efforts?
If you employ Microsoft Azure’s Active Directory (AD) Seamless SSO, hackers may be able to do just that: single-factor brute-forcing of a user’s AD credentials. And, these attempts aren’t logged on to the server. A newly discovered bug in Azure AD allows UNLIMITED attempts to guessing a password without being locked out or caught, leaving admins with little or no visibility into the attacker’s actions or the possibility of blocking them.
How is this possible?
Azure AD Seamless SSO enables users and devices to authenticate without prompting for their credentials. In an effort to streamline the user experience from enterprise environments, various protocols and services are utilized to validate user authentication behind the scenes. In a perfect world, this process runs smoothly and the user experiences one less login prompt.
Hackers are exploiting a vulnerability in the “Windows Transport” process. Autologon attempts to authenticate the user to Azure AD based on the provided credentials. If the username and password are a match, authentication succeeds, and the autologon service responds by sending an authentication token (DesktopSSOToken) to Azure AD. If the autologon attempt fails, an error message is generated. It is these error codes (many of which are not properly logged) that aid in the bad actor’s undetected brute-force attacks.
Is Exploitation limited to Seamless SSO Users?
Yes! “The exploit affects everyone using Azure AD including O365 users that are utilizing the Seamless Sign On feature,” comments Rick Mutzel, Security and Compliance Officer for Omega Systems. Threat actors can exploit the autologon usernamemixed endpoint in any Azure AD or Microsoft 365 organization, including organizations that use Pass-through Authentication (PTA).
As of today (Oct. 1,2021), there are no known fixes or available workarounds for this vulnerability. It remains unclear if or when the flaw would be fixed. Organizations using Seamless SSO should be advised you are vulnerable to stealthy brute-force attacks.
Omega Systems Suggests
Omega Systems suggests updating you passwords with password hygiene best practices. Typically for Omega Systems, MFA and 2FA are topping the list. We continue to promote this strategy, however in this particular scenario, it is a mute point. In addition, we suggest:
- Stay away from the easy passwords. Rule of thumb…”If you can remember it change it.”
Examples of most hacked passwords:
- Use “pass-phrases” instead of passwords
Example: Instead of “Muffins1234”, consider “IL0v3MyDoGMuffins!”
- Avoid reusing passwords or simple variants of the same password
Example: ForTheWin, ForTheWin1, ForTheWin2, etc.