Bonum Certa Men Certa

Microsoft Whistleblower and Clients Warned, More Than 2 Years Ago in Fact, About the Current Azure Mess (But Microsoft Ignored Those Warnings, Buried Facts)

This article is reproduced with a foreword about how Microsoft's staff were forewarned (and ignored the warnings). As usual, when it comes to Azure, Microsoft just ignores security-related issues because security is not an actual goal. We saw that again very recently. "Covered this a few years ago," Mitchel Lewis told us, citing new reports such as this one.

New Azure Active Directory password brute-forcing flaw has no fix | Ars Technica
This is in the news now



"My article from two years ago," he added, already cautioned about it. We reproduce it below in full with permission from Mitchel Lewis.




How Azure AD Could Be Vulnerable to Brute-Force and DOS Attacks



Azure walking



MICROSOFT'S Azure AD is the de facto gatekeeper of Microsoft cloud solutions such as Azure, Office 365, and Enterprise Mobility. As an integral component of their cloud ecosystem, it is serving roughly 12.8 million organizations, 950+ million users worldwide, and 90% of Fortune 500 companies on a growing annual basis. Given such a resume, one might presume that Azure Active Directory is secure, but is it?



Microsoft Azure AD
Source: https://www.microsoft.com/en-us/microsoft-365/blog/2017/11/13/how-organizations-are-connecting-their-on-premises-identities-to-azure-ad/



Despite Microsoft itself proclaiming “Assume Breach” as the guiding principle of their security strategy, if you were to tell me a week ago that Azure or Office 365 was vulnerable to rudimentary attacks and that it could not be considered secure, then I probably would have even laughed you out of the room. But when a client of ours recently had several of their Office 365 mailboxes compromised by a simple brute-force attack, I was given no alternative but to question the integrity of Azure AD as a whole instead of attributing the breach to the services merely leveraging it and what I found wasn’t reassuring.

After a simple “Office 365 brute force” search on google and without even having to write a line of code, I found that I was late to the party and that Office 365 is indeed susceptible to brute force and password spray attacks via remote Powershell (RPS). It was further discovered that these vulnerabilities are actively being exploited on a broad scale while remaining incredibly difficult to detect during or after the fact. Skyhigh Networks named this sort of attack “Knock Knock” and went so far as estimating that as many as 50% of all tenants are actively being attacked at any given time. Even worse, it seems as if there is no way to correct this within Azure AD without consequently rendering yourself open to denial of service (DOS) attacks.

PowerShell bruce-force
Source: https://cssi.us/office-365-brute-force-powershell/



In fact, this sort of attack is so prevalent that it happens to be one of the biggest threats to cloud tenant security at Microsoft according to Mark Russonivich (CTO of Azure) and is among several reasons that Microsoft itself advises their customers to enable multi-factor authentication (MFA) for all users and implement advanced threat intelligence available only to E5 subscription levels or greater; basically requiring companies to give Microsoft more money to secure their own solutions. But MFA also doesn’t impede hackers from cracking passwords or protect businesses from a DOS attack nor does it help those that are unaware of its necessity as many tenants are at present.

Exchange and PowerShell
Source: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps



Further, since RPS does not work with deferred authentication (DAP) and MFA, partners consisting of consultants, managed services and support providers also cannot use their partner credentials to connect to the tenants of their clients via RPS for advanced administration and scripting. Even though they can easily manage their clients via a browser-based admin center with MFA, they often have to resort to creating admin accounts within Office 365 tenant itself instead, but others do it simply for ease of access to the admin console or for when they are not the Partner On Record. These accounts are precisely what many of these attacks are targeting, often unbeknownst to admins, and Deloitte’s breach is a perfect example of such a scenario.

Unfortunately, these accounts are often stripped of MFA security to make them more convenient and accessible for the multitude of support and operations staff to use while working for various companies offering support services and they seldom expire or change upon company exit. By default in Office 365 and on top of being vulnerable to being cracked and breached, the password expiration policy is further set to a 730-day expiration and further disabled, rendering accounts vulnerable to a prolonged breach at that. Needless to say, they are ripe for attack and this exact scenario is what enabled a hacker to have unabridged administrative access to Deloitte’s Exchange Online tenant for 6+ months.

Azure panel



Complicating matters even further, the natural solution to this problem renders the tenant vulnerable to DOS attacks by virtue of being able to lock users out of their accounts for a fixed duration imposed by Azure AD; but this is still in preview phases. For example, by default Azure AD Smart Lockout (Preview Stage), which is still in preview, is configured to allow 10 password attempts before subjecting the account to a 60-second lockout, giving attackers a theoretical limit of 14,400 attempts per account/per day. You could decrease the threshold to 5 and increase the duration to 5 minutes protect against breaches, reducing attempts to 1,440 per day, but this would create the potential for downtime for users whenever their accounts are being attacked with brute force and password spray attacks.

More brute-force PowerShell
Source: https://cssi.us/office-365-brute-force-powershell/



However, Tyler Rusk at CSSI also called out that Microsoft doesn’t seem to throttle or limit authentication attempts made through RPS. As shown, Tyler was able to surpass the theoretical 14,400 per day limit listed in Azure AD Smart Lockout Preview without added logic, moving at a rate of 48,000 per day had he let it run for a 24 hour period or an est. 17,520,000 attempts over 365 days. However, there are obvious ways to optimize these efforts even further through via background jobs (start-job cmdlet) by essentially running attacks asynchronously instead of synchronously while optimizing for custom lockout limits, max attempts, and minimal detection. The possibilities are endless with regard to password spray attacks for obvious reasons. To be fair to Tyler and CSSI though and in my opinion, they didn’t need to leverage such measures to validate their concern.

If their lockout feature were to work though and if you were able to reduce the threat surface in the manner above, you would then have to contend with the hard countdown of the duration time. It’s immutable which means that users have to wait for it expire in order to render the account accessible again. The unlock cannot be expedited administratively at present. As such, it can just as easily result in an intentional DOS for end users if they or an unintentional DOS while running the possibility of exposing the attack; that is when/if it starts actually working. Obviously protecting from breach takes precedent over downtime, but becoming prone to DOS attacks is hardly a consolation prize.

Ned Pyle

Banned passwords nor MFA cannot protect against DOS or brute-force attacks either, only against the breach itself. In fact, when brute forcing an account protected by MFA, the MFA challenge itself can be treated as confirmation of a valid cracked username and/or password. In turn, they can then begin to try these credentials in other places which may not be protected by MFA as users and admins alike tend to keep them as similar as possible in multiple directories so that they’re easy to remember. I’ll defer to Ned Pyle of Microsoft as to whether this applies to his employer and their partners.

Summarizing matters thus far, you can brute force accounts housed in Azure AD via RPS. Obvious solutions for this such as MFA, customized password blocking, and advanced threat intelligence are either ineffective, insufficient, paywalled, and/or generate significantly more overhead in order to offset these vulnerabilities. Further, these solutions are often ignored by lazy admins, consultants, and managed services providers and many may be oblivious to this threat entirely; possibly even to breaches of their own. Deloitte has proven that this can even hit the best of them.

Windows 2000 Server



As offensive as all of this may seem though, it’s important to remember that AD was never designed to be public facing, quite the opposite. It has actually always been inherently vulnerable to brute-force, password spray, and DOS attacks by design. AD has always been designed to be implemented in conjunction with various other counter-measures in order to maintain its integrity. This includes but certainly is not limited to relying on physical security measures such as controlled entry and limiting the ability to access the domain to those that make it past physical security measures successfully; with the obvious exception of VPN users. This is nothing new.

That said, AD was never, ever, meant to be the sole source of security for IT infrastructure and is fundamentally dependent on other security measures in order to be effective. Consequently, AD becomes markedly more vulnerable when other pre-emptive methods fail or are non-existent. Put simply, such breaches should be the expectation when depending on Azure AD alone for IT security, and this sadly applies to any Office 365 tenant with its default security settings. However, understanding its limitations helps us illuminate ways to harden Azure AD and mitigate these problems just the same.

It almost goes without saying, but none of the measures necessary to patch these vulnerabilities are free to companies leveraging these services at present. Even if Microsoft were to fix this, who is to say that something else just as simplistic and embarrassing isn’t hiding around in the corner or already being used? That said, avoiding products backed by a 20-year-old security system streamlined for vendor lock-in seems like a viable solution to avoiding this problem in the first place.

Azure AD
Source: https://www.microsoft.com/en-us/microsoft-365/blog/2017/11/13/how-organizations-are-connecting-their-on-premises-identities-to-azure-ad/



Before anything else, I truly think that the onus is on Microsoft to ensure that their baseline configuration for cloud accounts doesn’t expose their tenants unnecessarily. Sure, we could blame ignorant users and lazy admins, but I don’t think that this is fair given the scope of this vulnerability, which is essentially 46% of AzureAD’s user-base (password hash sync + cloud only = 46%). It is unknown how many have MFA enabled and the scope of this is ultimately an unknown both with regard to those who are vulnerable to it, actively being attacked, and/or those already breached though. But as a former tier 3 support engineer for Exchange Online at Microsoft, I can confirm that a significant amount of individuals as well as small-medium businesses are relying on Azure AD exclusively without further counter-measures and that they account for a sizable amount of Office 365’s user-base. That said, telling customers that pay you to secure their mailboxes or to disable basic auth to address this doesn’t cut it.



Microsoft has clearly acknowledged this problem, but rather than hardening their tenants from such attacks as other cloud services have, they have offered solutions only available to their high tier plans so as to capitalize on this problem rather than fixing it. As expensive as they are to migrate away from now, or sticky as they like to call it, their products are just going to become more costly to manage, vulnerable, and difficult to migrate away from over time. This is the malady of any legacy solution.

One easy way for Microsoft to mitigate such attacks is to update their RPS module to support DAP and develop other creative avenues for admins and the like to efficiently and securely manage their clients’ tenants. They should also extend their threat intelligence and advanced customizations available only to costly, high tier license subscribers to all license levels, at least until proper solutions are implemented for all tenant levels.

As an immediate mitigation step though, Microsoft could simply swap the order of authentication. Rather than requiring a password prior to doing a two-step verification on your phone, they could require the phone verification through authenticator app or a third party MFA app such as Duo as the initial means of authentication. By deferring their password in Azure AD as the second step instead of the first, they could buffer its weak password security at present and buy time to implement a proper solution. However, this only applies to users and tenants with MFA enabled and in-use.

System life span



Just as Active Directory seems to create necessity for other costly ancillary solutions, Microsoft seems to have built AzureAD to generate further necessity for more costly solutions coincidentally offered by them just the same. On top of this and if they had their way, their solution to enable MFA would also require employers to buy phones and mobile plans for two-step verification for all of their employees which can cost more on an annual basis than any of their plans.The same can be said of the costs associated with a proper MFA solution and/or an on-premises or hosted ADFS solution (if none exist) as they drastically complicate the solution as a whole while consequently inflating the ownership costs associated with it. As complexity increases, stability falters while costs skyrocket. All of which is why I recommend avoiding their solutions entirely.

stickiness-ip-microsoft
Source: https://blogs.partner.microsoft.com/mpn/create-stickiness-with-ip/



But if a company is entrenched with Microsoft products and migration is out of reach, there are options. One solution that companies can implement is ADFS which defers authentication attempts to your own domain controllers on-premise rather than Azure AD while immediately granting more granular control of password policies with Active Directory on-premise and as much protection as money can buy on the network layer. All of which can be quite costly from a licensing perspective alone, let alone the hardware, network infrastructure, and labor required to implement it all let alone the staff to maintain it. This creates a single point of failure, often on-premise, for a cloud solution unless implemented in a highly available manner though.

They can also implement an MFA solution as well but there still remains added exposure and vulnerabilities which may require further consideration. But as mentioned before, there are also added costs and MFA may not protect accounts entirely. Users tend to manually synchronize their passwords across multiple platforms for the sake of remembering it, but not all of them have the same protections, MFA or otherwise. Similar to ADFS, access to your mailbox and other apps are restricted when MFA services are degraded, also becoming a single point of failure, as shown today by Azure's MFA outage. So if you go with an MFA solution, diversify with a 3rd party MFA provider.

Microsoft password policy



While the existence of dirsync can do little to protect against brute-force attacks, enforcing a strong password policy including a customized banned password list on premise can be mirrored in the cloud. Customers with dirsync already pay for this functionality with Active Directory on premise and can simply have it be mirrored in the accounts synced to the Azure AD forest. Although this cannot protect from brute force, password spray, or denial of service attacks, it can absolutely harden accounts against prolonged breaches.

I suppose they could also call support to complain about it and see if they’ll fix it, but you will likely be met by someone difficult to understand without experience on such matters. Or maybe they could even get a technical account manager to yell into the void or possibly even find someone with half of an ass on your behalf if you have deep enough pockets for a premier membership. While you’re at it, maybe you could upgrade your E3 plan to an E5 plan at almost double your monthly cost of E3 just to pay Microsoft to compensate for its own vulnerabilities.

Microsoft: assume breach

In summary, Microsoft services built on Azure AD along with the businesses leveraging them are vulnerable to brute-force and password spray attacks which can be carried out by anyone with the capacity to run a script in RPS. Also, there isn’t an adequate means of hardening these services without incurring significant financial burden and paying for more of Microsofts services. All of which has probably been the case for as long as the ability to access tenants via RPS has been widely available to admins and ultimately why you would be wise to assume breach with Microsoft cloud solutions just as Microsoft does. Entities can absolutely mitigate these vulnerabilities, but Office 365 and Azure would cease to function as true cloud solutions while generating significantly more overhead costs in the process. All things considered though, it seems as if there is no way to harden Azure AD or the services such as Azure or Office 365 when leveraged by itself without incurring significant costs in addition to the aforementioned introduction of further complexity, points of failure, and on-premise dependencies for your cloud architecture.

By default , Azure AD is more of a security problem than a cloud. This is not to say that Azure cannot be made to be secure but it comes at a cost while sacrificing cloud resiliencies. Although they advise others to assume breach, Microsoft seems to be omitting this reality from Office 365 and Azure advertisements and such inconsistencies are indicative of this stance being more of a cop out than a tenable security strategy because of this. Rather than hardening the vulnerabilities inherent to Active Directory and Azure AD which makes them susceptible to some of the oldest tricks in the book, Microsoft seems to be attempting to capitalize on them instead while exposing those unaware to a haunting amount of risk.

Azure: need premium

Recent Techrights' Posts

Against Outsourcing of Sites and E-mail
Software Freedom is great, but it is not enough if you let someone else do it 'for you'
Drew DeVault: People Talking About My Attack Site (Against the Founder of GNU/Linux) is "Spam"
"Spam on sr.ht mailing lists"
"Oppose the Fascist"
what the founder of GNU/Linux said
Halloween, All Saints Day & Swiss citizenship
Reprinted with permission from Daniel Pocock
 
Saving the Planet With Honesty, Transparency, and Sharing (Not Only of Computer Code)
GAFAM is destroying the only habitat humans and other animals have and it'll only get worse
Disinformation About Election Outcomes Even Before Any Election Outcomes (or Election/Voting!)
seeding doubt about election outcomes
Links 05/11/2024: Bluesky and Enshittification, Pugad Baboy, and Lots of Disinformation Flooding the Web
Links for the day
[Meme] Sweaty Under the Belly
"OK, my critics are 'spam'"
Microsoft Bribing Canonical (to Stop Competing) and Bribing Users to Shun the Competition
Canonical is worth shunning
[Meme] The 2024 'Info Bros'
And prehistoric googling
Computers Getting Worse (for the User) Over Time
This is like Windows-ism coming to "Linux" through the hardware
[Meme] How NOT to Vote
Another form of (mostly-unspoken-of) election interference
An LLM Inside a 'Search' Engine Means That Companies Tell You What They Want, Not What Web Pages to Visit
The future of 'googling' things might be as unreliable as using Social Control Media as a source of information
Google's Debt Has Increased and 'Cash on Hand' Fell by 22.27% This Past Year
These are the numbers that the corporate media intentionally leaves out
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, November 04, 2024
IRC logs for Monday, November 04, 2024
There's a Reason Why Techrights is Turning 18 and Tux Machines Will Turn 20.5 Next Month
I started advocating GNU/Linux when I was a teenager
Techrights Has a Long History of Fighting to Expose 'Team Mono' or Microsofters Inside GNOME
Never downplay the malice of Microsoft and its operatives
Gemini Links 05/11/2024: Halloween Over, Intention and Implementation, Bookmark Syncing
Links for the day
Microsoft Lost Nearly Half of Its 'Cash Reserves' This Past Year
Is Microsoft (MSFT) the next Intel (INTC)?
The Year Isn't Over Yet, There Will be More Waves of Microsoft Layoffs
Nowadays Microsoft just tries to conflate/equate its energy waste with "value"
The Corporate Media Blasted Bitcoin for Destroying the Planet and Must Do the Same to Incite the Public Against the 'Great Rigging of Wall Street' (Under the Guise of "AI", the Latest Gold Rush)
"AI" is the next "metaverse" (trailing by a few months)
[Video] Richard Stallman is Back to Halo and Gown (in Peru) With 2+ Hours of a Public Talk
The globetrotting Richard Stallman gave many talks at the end of last month
Going Strong Against the Wind
the abuse serves to emphasise or affirm the importance of what we do
Links 04/11/2024: Squashing More Software Patents and Taiwan at Risk
Links for the day
Gemini Links 04/11/2024: Typing vs Writing and a Smol (Net) Pub
Links for the day
Links 04/11/2024: LibreOffice Had Adopted PeerTube, "Hey Hi" Hype is a Threat to the Energy Grids (Worse Than Fake-Coins)
Links for the day
[Meme] Social Control Telescreens With Microphone
Nineteen Eighty-Four
Shout-out to Christine From FOSSForce
Who noticed our short story
Not Boycotting Apple (Yet)?
"Apple Forces The Signing Of Applications In MacOS Sequoia 15.1"
statCounter This Month: Android Has Nearly Become Twice as Big as Windows
If it happened, it would be an unprecedented milestone
Why Technical Sites Need Not Make Political Recommendations or Endorsements
Except perhaps when it's for some purely technical role, e.g. FCC chief
[Meme] Apple Freedom
Freedom is... the ability to purchase as many 'i' things as you want
Apple's MacOS Shows Us the Vision of Computing That GAFAM Has for Us (Digital Prisons)
Freedom means "we the people" should be in control, not people being controlled by corporations (contemporary slaveowners)
"Active" as in One URL, One Emoji, and 4 Words in One Week
Diversity community in Fedora
Apple Vision Pro Has Failed, Just Like "Metaverse"
Vision Pro lacks software
Things That Can Improve Election Integrity
the first two relate to "tech"
Rigging Elections is Difficult, Cheating a Little is Not
Avoid social control media, it is the biggest rigger of all
"People who live in glass houses shouldn't throw stones"
On throwing stones in a glass house
Our Stance on Electronic (or Digital) Voting Machines
The simple activity of voting and counting ballots does not require thousands of complex machines with hundreds of millions of transistors and hundreds of millions of lines of code
Microsoft and "Retrospective Re-writing of History..."
in YouTube anyone can make stuff up (as one goes along)
This Coming Week
Go exercise your right to vote
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, November 03, 2024
IRC logs for Sunday, November 03, 2024
Reddit is (Still) Lying and Faking
Don't fall for this phony idea that the above sites are grassroots or edgy; they're not
GNU/Linux Users Are Not Cheaters
The bottom line is, most cheaters use Windows
Links 04/11/2024: FCC, Broadband Industry Spar Over Net Neutrality; Software Patent Squashed
Links for the day
Gemini Links 03/11/2024: Official MyGemini.Space Announcement
Links for the day
Gemini Links 03/11/2024: Election Thoughts, Plagiarism, and LLM Slop
Links for the day
Links 03/11/2024: Deere 'Right to Repair' (RoR) and "Threads Bans Anyone For Mentioning Hitler"
Links for the day
[Video] "El Movimiento del Software Libre y el Sistema Operativo GNU" by Richard M. Stallman
The footage is a bit jittery (taken with a phone apparently, and there's no tripod available), but the sound is OK and the words (in Spanish) are comprehensible
Android at New Highs (47%), Windows at New Lows (24%), Suggests Latest Data From statCounter
So the market share of Android is about double that of Windows
[Video] Richard Stallman's Talk in Spanish (in Peru Last Week)
Alternative URLs too
The Media Focuses on the Wrong Scandal
The real scandal at MIT was Gates
Gemini Links 03/11/2024: Fantasy Life Day and Worship
Links for the day
[Meme] Write Us Drivers and GTFO!
When you realise sanctioning BRICS devs goes against the community
Decommissioning Copper Lines Makes Us Less Safe
We've essentially degraded the robustness or reliability of critical systems
Life of an Addicted Lolicon Who Can Also Code
Personal blog as an open diary
[Meme] Reporting Crime is Not a Crime
Obviously!
Manchester Party for Techrights
If you choose to come, of course we'll cover the cost of the food and treats (but not travel)
Privacy is Not a Crime (in Places Where It is a Crime the Regime is Typically Very Rogue)
Also, criminals lack "privacy rights" to hide their crimes from the public
GNU/Linux "Market Share" in Lebanon More Than Doubled in a Few Months
Maybe it's a reaction to something? Assassination in Haret Hreik was in July.
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, November 02, 2024
IRC logs for Saturday, November 02, 2024
Nearly 40 Years Without Security Incidents
People who use Windows have come to sort of "accept" that security incidents are part of life or "normal"
[Meme] The Streisand Effect
Simon says, don't bother trying to suppress facts
Streisand Effect at IBM?
Trying to silence your workers isn't the best approach. It only makes colleagues even more curious.
Microsoft is a Gift That Keeps Giving (Future Stories to Techrights)
Microsoft has been trying to silence me using dirty tricks for nearly 20 years
Elon Musk Has Trashed Twitter for Ideological Reasons (and Propping Up Trump in Exchange for Financial and Political Favours Once in Public Office)
In case you didn't leave Twitter already, consider the fact that Twitter's (or "X"... whatever!) future is uncertain
Wall Street Has Demoted Intel, Seeing There May be No Future to Intel
Intel's loss isn't a loss to us
Free Software Licence Compliance is About Security Too
Linux as de facto proprietary off-the-shelf platform