A massive, ongoing, automated password spray attack is targeting Microsoft's Azure command-line interface. The attack has compromised dozens of accounts. The scale is staggering: more than 81 million login attempts between June 12 and June 26.
The attackers successfully compromised at least 78 Microsoft accounts across 64 organizations.
What makes the Azure CLI password spray attack noteworthy is not only the scale, but also the fact that many of the compromised organizations had Conditional Access policies enabled. The attackers bypassed them.
The Attack Vector
The Azure CLI password spray attack originates from an IPv6 address range controlled by internet infrastructure provider LSHIY LLC. The targeting seems to be based entirely on password prevalence on compromised password combo lists. It is not specific to business type or industry.
The attackers leverage a deprecated OAuth flow called Resource Owner Password Credentials (ROPC). ROPC is a legacy OAuth 2.0 grant type where a user directly provides their username and password to a client application. The application sends these credentials to an authorization server to exchange them for an access token.
ROPC was deprecated in OAuth 2.1. Microsoft recommends customers against using it, arguing it is incompatible with MFA. In most scenarios, more secure alternatives are available and recommended.
How ROPC Bypasses Conditional Access
The Azure CLI password spray attack weaponizes old username/password combinations that were previously breached but never rotated. The use of the ROPC vector meant the attackers were able to target enterprises that had implemented MFA, but it wasn't enforced or configured to account for Azure CLI ROPC logins.
The following were some of the cases where MFA didn’t work:
1. MFA policy implementation on certain applications instead of “All Cloud Applications,” which didn’t consider the implementation of MFA enforcement on Azure CLI.
2. MFA enforcement based on specific user types such as Administrators.
3. MFA enforcement in non-trusted networks.
Eight businesses impacted by the campaign had no MFA policy at all.
The Scale
Between June 12 and June 21, the Azure CLI password spray attack resulted in a handful of successful logins per day, averaging two to four accounts compromised daily, with the exception of June 19, when 12 user accounts were compromised.
The steady cadence changed on June 22. Thirty identities across 23 businesses were impacted. In all, 78 user accounts were compromised across 64 organizations.
The vast majority of the password spraying activity emanated from LSHIY LLC. Some of the IP addresses resolve to the U.S., while a few others resolve to China.
Huntress has witnessed the volume of credential spray attacks surge by over 155 times across its customer base. Attacks surged in particular in late May through early June, with a current mean value of about 1,964 failed attacks per month per Huntress-protected tenant.
What to Do
The Azure CLI password spray attack reveals cracks in Conditional Access Policies that haven't been appropriately configured. There are still potential weaknesses in how CAPs are deployed that can allow threat actors to slip through.
One glaring error: legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don't go through the authorization endpoint where policies are enforced.
The organization should ensure that:
1. MFA is applied to all users, cloud applications and client applications when setting up conditional access policies.
2. The use of Azure CLI application is restricted among non-administrator users.
3. Category the answers according to the verification of credentials. This attack is successful since these credentials have been compromised earlier, but they have not been updated yet.
This is not to say that MFA is entirely useless. On the contrary, organizations should make sure that their MFA policies are implemented correctly to deal with the authentication process employed during the attacks.
The Bottom Line
The Azure CLI password spray attack is a reminder that legacy authentication protocols remain a weak point. ROPC bypasses poorly-configured Conditional Access Policies. Old credentials are being weaponized at scale.
Check your Conditional Access Policies. Ensure MFA is required for All Cloud Apps. Restrict Azure CLI access. And rotate old credentials.
FAQ Section
What is the Azure CLI password spray attack?
It is a large scale credential spray attack aimed at Azure CLI authentication. Hackers launched 81 million login attacks and managed to compromise 78 users across 64 organizations.
How were MFA defenses circumvented by hackers?
They used an obsolete OAuth 2.0 flow referred to as ROPC. This flow is able to circumvent conditional access policies that have been implemented without considering all cloud apps, all users, and all client app types.
What is ROPC?
ROPC stands for Resource Owner Password Credentials. It is a deprecated OAuth 2.0 authorization grant in which the end user gives his credentials to a client.
Which organizations were targeted?
The targeting is not specific to business type or industry. The attackers used compromised password combo lists.
What should be done?
MFA for all users for all cloud apps and all client app. Limiting access to Azure CLI for non-administrative users. Credential rotation.
Does that mean MFA does not work?
No, it means that poorly configured Conditional Access policies allow legacy authentication protocol such as ROPC to be used.