Microsoft Azure’s Active Directory (AD) has a new bug, which allows threat actors to brute force entry. The login attempts that stack up during such attacks don’t register on the system.
According to Ars Technica, a group of researchers at Secureworks Counter Threat Unit discovered the bug in June 2021. They detected it in the Azure AD Seamless Single Sign-on (SSO) service. Essentially, it allows threat actors to try to enter the system as many times as they want without being noticed.
The researchers notified Microsoft in the same month. Microsoft responded a month later, claiming that this was by design. As such, it’s unclear whether it will fix the flaw at all.
Microsoft Azure is a favorite cloud hosting provider, so many customers are potentially at risk. Secureworks notified its clients about the threat through an email, deeming it a medium risk.
Importance of Passwords
The risk depends on the strength of the password of the targeted account. This explains why Secureworks labeled it a medium threat.
If a password is significantly complex, like one generated through a password manager, the risk isn’t as great. What is troubling, however, is that the vulnerability can aid attacks by giving them hints.
When a user attempts to log in, the system matches their credentials against the register. If they are correct, the login occurs. If they aren’t, it displays an error message, which can direct the attacker. Some examples are “This user doesn’t exist,” “This user exists, but the wrong password was entered,” and so on.
A threat actor with a lot of time and patience could figure out the correct user names and then begin milling through passwords until they enter. They’d then have access to any number of facilities, such as cloud storage, and their contents.
While the vulnerability was found in SSO, it is not limited to organizations that use it. Any Azure AD or Microsoft 365 customers are at risk. That said, two-factor authentication should mitigate the problem.
Microsoft has not provided any further information on why this is a design choice yet. Therefore, organizations at risk should do all they can to secure their systems.