Azure AD vulnerability gave attackers backdoor authentication control
Secureworks shared its findings with Microsoft in 2022, and the company has since issued changes to improve audit logs
Researchers at Secureworks have issued a warning over a flaw in Microsoft’s Azure Active Directory (Azure AD) that allows threat actors to tamper with conditional access policies (CAPs).
Analysis from Secureworks’ Counter Threat Unit found that the vulnerability enabled an attacker to install backdoors, modify access rights to bypass multi-factor authentication (MFA), and block admin access.
The flaw also allowed attackers to gather information on policy configurations to support and launch future attacks, researchers noted.
Azure AD is Microsoft’s cloud-based identity and access management service. The premium version of Azure AD also supports CAPs that grant - or block - access based on certain criteria, such as device compliance or user location.
“Azure AD stores the settings for the authentication methods and CAPs. CAPs can be modified via the Azure AD portal, PowerShell, and API calls,” researchers said.
In May 2022, researchers investigated which APIs allow editing of CAP settings and identified three:
- The legacy Azure AD Graph (also known as AADGraph)
- Microsoft Graph
- An “undocumented” Azure IAM API
AADGraph was the only API that allowed modification of all CAP settings, including metadata.
This capability could allow admins to tamper with all CAP settings, including the creation and modification timestamps.
RELATED RESOURCE
Modifications made using AADGraph are not properly logged, which researchers warned “endangers integrity and non-repudiation of Azure AD policies”.
“The API does not properly log changes, and the lack of an audit trail breaks integrity and non-repudiation of CAPs,” researchers said. “As a result, organizations cannot trust CAP information shown in the Azure AD portal or in directory audit logs.”
CTU researchers shared their findings with Microsoft in May 2022, and the tech giant confirmed the findings a month later. However, SecureWorks revealed that Microsoft stated “that it is expected behavior”.
In May this year, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.
Microsoft said these changes will “improve audit logs to reflect the type of policy being updated when CA policies are updated through AADGraph”.
The firm added that AADGraph is “set to be retired” and that admins will be prevented from making updates to CA policies.
Nestori Syynimaa, senior principal security researcher at SecureWorks CTU, said that a concerning aspect of this vulnerability is that Azure AD “isn’t locked properly”, enabling attackers to see policy configurations potentially exploit the flaw.
“This means that any user can see policy configurations, and anyone with admin rights can make modifications that are not logged properly,” he said.
“If you have a rogue admin, or an admin’s credentials have been compromised by a threat actor, then they can make damaging changes such as turning off access controls, blocking access, and editing rules.”
Syynimaa noted that a threat actor could hypothetically access “any number of systems and create backdoors”, making remediation difficult in the event that this vulnerability was exploited.
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surgeNews Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
-
Surging third-party risks create software vulnerability headaches for developer teamsNews Security risk is increasing across the software delivery lifecycle as development relies more heavily on third-party components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
