
Threat actors are compromising Microsoft 365 environments in a massive password spray campaign targeting the Azure CLI, cybersecurity firm Huntress warns.
Between June 12 and 21, the company observed over 81 million login attempts against its customers, with 78 user accounts across 64 organizations already compromised.
During the two-week window, the hackers compromised 2-4 accounts daily, with a spike around June 22, when 23 businesses were compromised.
According to Huntress, most of the login attempts originated from AS32167, an autonomous system linked to internet hosting provider LSHIY LLC.
“These attacks are part of a large wave of credential spray attacks across a few different ASNs. In the past six months, Huntress has observed the volume of credential spray attacks increase by over 155 times across our customer base,” the cybersecurity company says.
Huntress noticed a surge in password spray attacks in late May and early June, across multiple businesses. The attacks seem based entirely on compromised password combo lists, it says.
As part of the Azure campaign, the attackers have relied on the OAuth ROPC (Resource Owner Password Credentials) flow to validate credentials. Deprecated in OAuth 2.1, this auth flow mints a new user-delegated token when receiving the right credentials.
This means that, even if multi-factor authentication (MFA) is enabled, the attackers can successfully compromise accounts if the MFA has not been configured to cover the OAuth ROPC authentication flow.
“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn’t offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt,” Huntress explains.
Analyzing some of the compromises, Huntress discovered that the MFA configurations had certain weaknesses: MFA was not enforced for all cloud applications, was enforced for certain user groups only, was required for non-trusted locations only, or was implemented and never enforced.
“It’s worth noting that eight businesses impacted by the campaign had no MFA policy at all. While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn’t work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents,” the cybersecurity firm notes.
The IPv6 address range from which the attacks originated belongs to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Other reports that the IPv6 ranges associated with AS32167 and AS955, two ASNs operated by the firm, originate in China exist as well.
Huntress says it reported the malicious activity to LSHIY via its abuse reporting mechanism, but received no response.
Related: Exploitation of Recent Oracle E-Business Suite Vulnerability Begins
Related: BlueHammer Vulnerability Exploited in Ransomware Attacks
Related: US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve
https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli/


