Researchers discovered a critical vulnerability in Microsoft Azure named “BlackDirect” that allows attackers to take over the Azure user’s accounts and create the Token with the victim’s permission.
The vulnerability specifically affected Microsoft’s OAuth 2.0 applications that allow a malicious attacker to access and control a victim’s account
“OAuth is a protocol for authorization that is commonly used as a way for end-users to grant websites or applications access to their information from other websites without giving the website or app secrets or passwords.”
In the next generation, OAuth2 allows third-party applications to grant limited access to an HTTP service, and accessing clients might be a website or mobile application.
OAuth applications trust domains and sub-domains are not registered on behalf of Microsoft, and they can be registered by anyone.
By default, OAuth approved the application’s request and is allowed to ask for “access_token.”.
Researchers found that the combination of these two factors makes it possible to produce action with the user’s permissions – including gaining access to Azure resources, AD resources, and more.
“This vulnerability’s attack surface is very wide and its impact can be very powerful. By doing nothing more than clicking or visiting a website, the victim can experience the theft of sensitive data, compromised production servers, lost data, manipulation of data, encryption of all the organization’s data with ransomware, and more.”
To exploit the vulnerability, researchers initially listed all the service principals in their account using the “Get-AzureADServicePrincipal” command.
Later they found the URL that was allowed by the Microsoft application, in which some of the URLs end with “.cloudapp.net”, “.azurewebsites.net” and .{vm_region}.cloudapp.azure.com,” These are all the URLs registered via the Microsoft Azure portal.
Omer Tsarfati from cyberark said, “To make sure no real attackers could exploit this vulnerability, I registered every sub-domain that wasn’t already registered – 54 of them That being said, there may be more sub-domains that aren’t listed.”
There are 3 following apps that are vulnerable for this account to take the attack.
“This vulnerability makes it much easier to compromise privileged users – whether through simple social engineering techniques or by infecting a website that the privileged users occasionally access.”
As a result, the attacker will compromise the entire domain and the organization’s Azure environment.
Proof of Concept Video:
You can read the complete technical analysis here.
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…