Researchers at Secureworks have issued a warning over a flaw in Microsoft’s Azure Active Directory (Azure AD) that allows threat actors to tamper with conditional access policies (CAPs).
Analysis from Secureworks’ Counter Threat Unit found that the vulnerability enabled an attacker to install backdoors, modify access rights to bypass multi-factor authentication (MFA), and block admin access.
The flaw also allowed attackers to gather information on policy configurations to support and launch future attacks, researchers noted.
Azure AD is Microsoft’s cloud-based identity and access management service. The premium version of Azure AD also supports CAPs that grant - or block - access based on certain criteria, such as device compliance or user location.
“Azure AD stores the settings for the authentication methods and CAPs. CAPs can be modified via the Azure AD portal, PowerShell, and API calls,” researchers said.
In May 2022, researchers investigated which APIs allow editing of CAP settings and identified three:
- The legacy Azure AD Graph (also known as AADGraph)
- Microsoft Graph
- An “undocumented” Azure IAM API
AADGraph was the only API that allowed modification of all CAP settings, including metadata.
This capability could allow admins to tamper with all CAP settings, including the creation and modification timestamps.
RELATED RESOURCE
Modifications made using AADGraph are not properly logged, which researchers warned “endangers integrity and non-repudiation of Azure AD policies”.
“The API does not properly log changes, and the lack of an audit trail breaks integrity and non-repudiation of CAPs,” researchers said. “As a result, organizations cannot trust CAP information shown in the Azure AD portal or in directory audit logs.”
CTU researchers shared their findings with Microsoft in May 2022, and the tech giant confirmed the findings a month later. However, SecureWorks revealed that Microsoft stated “that it is expected behavior”.
In May this year, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.
Microsoft said these changes will “improve audit logs to reflect the type of policy being updated when CA policies are updated through AADGraph”.
The firm added that AADGraph is “set to be retired” and that admins will be prevented from making updates to CA policies.
Nestori Syynimaa, senior principal security researcher at SecureWorks CTU, said that a concerning aspect of this vulnerability is that Azure AD “isn’t locked properly”, enabling attackers to see policy configurations potentially exploit the flaw.
“This means that any user can see policy configurations, and anyone with admin rights can make modifications that are not logged properly,” he said.
“If you have a rogue admin, or an admin’s credentials have been compromised by a threat actor, then they can make damaging changes such as turning off access controls, blocking access, and editing rules.”
Syynimaa noted that a threat actor could hypothetically access “any number of systems and create backdoors”, making remediation difficult in the event that this vulnerability was exploited.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
-
A new framework for third-party risk in the European Unionwhitepaper Report: DORA and cyber risk
