An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period.
The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches.
Microsoft's Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, manage databases, and automate cloud operations.
Once a valid pair was found, the hacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism, bypassing multi-factor authentication (MFA) in many environments due to insecure Conditional Access policies.
Managed cybersecurity company Huntress observed the campaign targeting its customers between June 12 and 26 and confirmed that the threat actor compromised 78 Microsoft accounts across 64 organizations.
Activity peak on June 22 Source: Huntress
“Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” Huntress explains.
“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn't offer support for modern auth flows like MFA or SSO.”
“That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt.”
Specific misconfigurations highlighted by Huntress include:
MFA was applied only to specific applications, not to All Cloud Apps.
MFA is enforced only for selected user groups, such as administrators.
MFA required only from untrusted locations, allowing traffic from IPs that appear to originate from trusted locations.
Policies configured in report-only mode, meaning they were never enforced.
In some cases where organizations were impacted, the researchers say there was no MFA policy at all.
Weaknesses on impacted orgs Source: Huntress
Overall, Huntress observed a more than 155-fold increase in password-spraying attacks, with organizations now averaging 1,964 failed login attempts per tenant each month.
It is unclear who is behind the latest campaign, but Huntress notes that the activity originates from an IPv6 range owned by LSHIY LLC (AS32167).
The researchers disclosed their findings to LSHIY through the company's abuse reporting portal, but had not received a response by the time their report was published.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>