Hackers' Uncovered Security Vulnerability in Multi-factor Authentication Processes
In a surprising turn of events, the cybersecurity team at CLOUDYRION managed to bypass Multi-Factor Authentication (MFA) in a Fortune-500 corporate environment that uses Azure services. The discovery was made by Microsoft, who noticed that the MFA was being bypassed when using the Azure Command Line Interface (CLI).
The team found a loophole in the Windows Single Sign-On (SSO) tokens, which allowed MFA-free access to the Azure CLI and functions in Intune. This vulnerability could have serious implications, as a compromised highly privileged account could lead to potential data protection violations, violations of compliance requirements, legal consequences, fines, and significant reputation damage.
The challenge faced was conducting tests outside the browser when using Azure subscriptions. To circumvent the MFA, one tester could use their own client account to register a device and then assign it to their colleague's account, bypassing MFA using the "az login" command in the Azure CLI.
Microsoft has recommended checking policies to see if they recognize the special case of the user action "Register or link devices". As a temporary solution, blocking a device from being connected to more than one account or account is a working solution. Additionally, blocking a device from being connected to more than one account is a working solution.
The company's policies required testers' devices to first register via the Microsoft corporate portal. However, after device registration, no additional MFA was required for access to corporate services like Azure, Teams, and Outlook.
To address this issue, Microsoft has developed whitelists for permitted applications and actions that can be used with Windows SSO. Implementing a whitelist for all actions that a user is allowed to perform provides full control over every action. Changes to Microsoft's conditional access policies also allow for finer control over many more actions, including the user action "Register or link devices".
The key to greater security lies in continuously refining MFA policies and incorporating user feedback. Unfortunately, best practices for reducing MFA vulnerabilities were not provided in the article.
Despite this setback, it is important to remember that the discovery of such vulnerabilities is crucial for improving cybersecurity measures. This incident serves as a reminder that no system is completely secure and that continuous efforts must be made to protect against potential threats.
