Saturday, December 7, 2024
HomeCVE/vulnerabilityCritical Vulnerability in Microsoft Azure Let Hackers Take Over the Complete Control...

Critical Vulnerability in Microsoft Azure Let Hackers Take Over the Complete Control of the Azure Accounts

Published on

SIEM as a Service

Researchers discovered a critical vulnerability in Microsoft Azure named “BlackDirect” that allows attackers to take over the Azure user’s accounts and create the Token with the victim’s permission.

The vulnerability specifically affected Microsoft’s OAuth 2.0 applications that allow a malicious attacker to access and control a victim’s account

“OAuth is a protocol for authorization that is commonly used as a way for end-users to grant websites or applications access to their information from other websites without giving the website or app secrets or passwords.”

- Advertisement - SIEM as a Service

In the next generation, OAuth2 allows third-party applications to grant limited access to an HTTP service, and accessing clients might be a website or mobile application.

OAuth applications trust domains and sub-domains are not registered on behalf of Microsoft, and they can be registered by anyone.

By default, OAuth approved the application’s request and is allowed to ask for “access_token.”.

Researchers found that the combination of these two factors makes it possible to produce action with the user’s permissions – including gaining access to Azure resources, AD resources, and more.

“This vulnerability’s attack surface is very wide and its impact can be very powerful. By doing nothing more than clicking or visiting a website, the victim can experience the theft of sensitive data, compromised production servers, lost data, manipulation of data, encryption of all the organization’s data with ransomware, and more.”

Exploiting the BlackDirect Vulnerability

To exploit the vulnerability, researchers initially listed all the service principals in their account using the “Get-AzureADServicePrincipal” command.

Later they found the URL that was allowed by the Microsoft application, in which some of the URLs end with “.cloudapp.net”, “.azurewebsites.net” and .{vm_region}.cloudapp.azure.com,” These are all the URLs registered via the Microsoft Azure portal.

Omer Tsarfati from cyberark said, “To make sure no real attackers could exploit this vulnerability, I registered every sub-domain that wasn’t already registered – 54 of them  That being said, there may be more sub-domains that aren’t listed.”

There are 3 following apps that are vulnerable for this account to take the attack.

  • Portfolios
  • O365 Secure Score
  • Microsoft Service Trust

“This vulnerability makes it much easier to compromise privileged users – whether through simple social engineering techniques or by infecting a website that the privileged users occasionally access.”

As a result, the attacker will compromise the entire domain and the organization’s Azure environment.

Proof of Concept Video:

You can read the complete technical analysis here.

Mitigation Steps

  1. Make sure that all the trusted redirect URIs configured in the application are under your ownership.
  2. Remove unnecessary redirect URIs.
  3. Make sure the permissions that the OAuth application asks for are the least privileged ones it needs.
  4. Disable non-used applications.

Also Read:

StrandHogg – Hackers Aggressively Exploiting New Unpatched Android OS Vulnerability in Wide Using Malware

Most Critical Docker Vulnerability Let Hackers Take Complete Control Over the Host & All Containers Within It

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Multiple SonicWall Vulnerabilities Let Attackers Execute Remote Code

SonicWall has issued a critical alert regarding multiple vulnerabilities in its Secure Mobile Access...

Django Security Update, Patch for DoS & SQL Injection Vulnerability

 The Django team has issued critical security updates for versions 5.1.4, 5.0.10, and 4.2.17....

Rockwell Automation Warns of Multiple Code Execution Vulnerabilities in Arena

Rockwell Automation has issued a critical security advisory addressing multiple remote code execution (RCE)...