Hackers Abuse Azure AD Abandoned Reply URLs to Escalate Privilege

Recent reports indicate that there has been a privilege escalation vulnerability discovered, which arises due to abandoned Active Directory URLs.

Threat actors can use this flaw to gain illegal authorization codes that can be used against Microsoft Power Platform API to gain access tokens and escalate their privileges.

Microsoft has patched these vulnerabilities as soon as they were reported. However, there are certain limitations for users to mitigate this issue. 

Abandoned Reply URLs

As per reports shared with Cyber Security News, researchers identified some abandoned URLs, which were then evaluated for their availability for registration with impacted Azure services.

During this method, an abandoned reply URL belonging to the Dynamics Data Integration app that was linked with the Azure Traffic manager (dataintegratorui[.]trafficmanager[.]net)profile was discovered.

Since this is one of many first-party Microsoft applications, no additional consent was required to initiate the attack. Nevertheless, the legitimate version of the application uses the getExternalData API for proxying a request to a set of limited downstream APIs.

Legitimate application flow (Source: Secureworks)

The requested URL of getExternalData (https: //<middletierservice>/api/GetExternalData) consists of three payload parameters namely ‘url‘, ‘requestData‘, and ‘requestType‘ and requested token ‘audience‘. With the help of the middle-tier service, the Power Platform downstream API and the Azure AD Graph API were accessible.

Request from client to middle-tier service (Source: Secureworks)

Threat actors abuse these platforms by redirecting a victim to a malicious server. Victims who visit them through the Azure AD have the authorization code in the URL, which is then exchanged for access tokens by the malicious server.

Threat actors then use the server to call the middle-tier service with the access token and the intended API.

Power Platform Privilege Escalation

Power Platform is a collaborative platform introduced by Microsoft with low-code tools to automate processes and other useful solutions for different use cases. It also provides integration with services like GitHub and other apps.

However, an API to this platform allows users to manage environments, change the settings, and get information about capacity consumption. Since this platform can be accessed by crafting the abandoned URL, it allows users to escalate their privileges.

It can also be used to abuse its administrative capabilities by creating an application user with a system administrator role or deleting the environment with an HTTP delete request.

Azure AD Graph API

In the case of Azure AD Graph API access, threat actors accessing them via the middle-tier service are limited to read-only access. Threat actors can only gather information but cannot write on the system. Though this serves as a protection, they can still gather additional information about the environment for initiating further attacks.

Request used for reading Azure AD (Source: Secureworks)

Furthermore, it was detected that even after deleting the first-party application, the issue is not addressed since the application has been pre-consented for all tenants.

Access token issuing can be addressed by disabling users’ sign-in ability and nullifying other legitimate application usage. For detailed information, Secureworks has provided a complete report.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

45 minutes ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

51 minutes ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

2 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

3 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

4 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

4 hours ago