Researchers at Secureworks Counter Threat Unit (CTU) have discovered a flaw in the protocol used by Azure Active Directory Seamless Single Sign-On Service (SSO). The usernamemixed endpoint utilized in Microsoft’s Seamless SSO authentication route, as well as other authentication methods like Pass-Through Authentication (PTA), have been confirmed as allowing brute-force attacks (repeated login attempts) without logging. If authentication fails, an error message is generated that could also aid an attacker in performing undetected brute-force attacks.
The primary issue is that the autologon service’s authentication step to Azure AD is not logged, which allows repeated login attempts. Therefore, any brute force attack that simply attempts numerous username and password combinations on the usernamemixed endpoint will similarly not be logged. There are no known fixes or workarounds as of the time of writing; Microsoft has stated that the usernamemixed endpoint is enabled for legacy authentication and it does not consider this lack of appropriate logging to require a patch.
Analyst Notes
There have been multiple reports confirming that Microsoft’s recommendation of disabling Seamless SSO is insufficient. While Multi-Factor Authentication (MFA) and conditional access policies will not mitigate the issue, these security controls will help prevent unauthorized access of Active Directory resources. It is important to ensure that MFA and conditional access policies are enabled on all resources, otherwise this vulnerability will allow for credential harvesting and access into resources that do not have these security controls applied. A robust post-exploitation framework that includes threat hunting for credential abuse and lateral movement TTPs is highly recommended in today’s threat environment for any organization’s network.
Reference:
https://twitter.com/nathanmcnulty/status/1443004296224665600?s=21
https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
