SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Microsoft not addressing authentication flaw in Azure AD
Wed, 14th Sep 2022
FYI, this story is more than a year old

Secureworks has published new research that identifies a proof-of-concept exploit of flaws found in Microsoft's Azure AD PTA method, which it says the tech giant is not planning to address.

Pass-Through Authentication (PTA) is one of the Azure Active Directory (Azure AD) hybrid identity authentication methods.

The research has been published through Secureworks' Counter Threat Unit (CTU) and notes that exploiting these flaws would allow threat actors to log in using invalid passwords, gather credentials, perform remote denial of service (DoS) attacks, and maintain persistence for years.

In addition, the research finds that the exploitation would be undetectable by the targeted organisation.

Secureworks' findings highlight the type of risk organisations need to be aware of when using the PTA method.

For example, a compromised server running PTA agent in the on-premises environment can result in a compromise of the Azure AD tenant, such as with Solorigate.

However, unlike Solorigate, the research finds that compromised PTA equips attackers with the means to obtain credentials and perform DoS attacks.

Further, Secureworks' has found that exploitation is based on using a certificate used by PTA agent for identification.

Worse is that the exploitation can't be detected by organisation administrators, and after an initial compromise, threat actors can maintain remote persistence for years.

Organisation administrators are also unable to disable nor remove compromised PTA agents from Azure AD.

Secureworks notes that Microsoft currently has not given any indication of plans to address these flaws.

The latest findings come after Secureworks CTU researchers found new information about the DarkTortilla malware, revealing more about its versatility and scope within the threat landscape.

Highly complex and also highly configurable, the .NET-based crypter malware has possibly been active since at least August 2015, causing widespread harm and security issues around the globe.

It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine to further break down security and infiltrate networks.

In a new development, the Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit.

They found that DarkTortilla can be configured to deliver add-on packages such as additional malicious payloads and/or benign decoy documents/executables, creating further harm on a wider scale.

Analysis of VirusTotal samples also revealed numerous campaigns delivering DarkTortilla via maliciousspam (malspam). Emails typically use a logistics lure and include the malicious payload in an archive attachment with file types such as .iso, .zip, .img, .dmg, and .tar.

These types of technologies have been described as very robust, with anti-analysis and anti-tamper controls that can make detection, analysis, and eradication very challenging.

From January 2021 through May 2022, it was found that an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Because DarkTortilla is capable of evading detection, it remains highly configurable and can deliver a wide range of popular and effective malware.