New Azure Active Directory password brute-forcing flaw has no fix

New Azure Active Directory password brute-forcing flaw has no fix

Enlarge (credit: Michael Dziedzic)

Imagine having unlimited attempts to guess someone’s username and password without getting caught. That would make an ideal scenario for a stealthy threat actor—leaving server admins with little to no visibility into the attacker’s actions, let alone the possibility of blocking them.

A newly discovered bug in Microsoft Azure’s Active Directory (AD) implementation allows just that: single-factor brute-forcing of a user’s AD credentials. And, these attempts aren’t logged on to the server.

Invalid password, try again, and again…

In June this year, researchers at Secureworks Counter Threat Unit (CTU) discovered a flaw in the protocol used by Azure Active Directory Seamless Single Sign-On service.

Read 20 remaining paragraphs | Comments

This post has been read 32 times!

0 0 votes
Article Rating
Like
Like Love Haha Wow Sad Angry
guest
Not Optional
Optional
0 Comments
Inline Feedbacks
View all comments