Cybersecurity experts have identified a large-scale automated password spray attack targeting Microsoft’s Azure command-line interface (CLI), compromising multiple accounts in the process.
Originating from an IPv6 address range (2a0a:d683::/32) associated with internet provider LSHIY LLC (AS32167), the campaign was detected between June 12 and June 26. According to Huntress, the attackers executed over 81 million login attempts, successfully breaching 78 Microsoft accounts within 64 organizations.
Details of the Attack
The attack’s significant scale is underscored by its ability to bypass Conditional Access policies through the use of the deprecated Resource Owner Password Credentials (ROPC) OAuth flow. Despite CAP protections being in place, the attackers targeted password prevalence on compromised lists rather than specific industries or businesses.
The ROPC flow, part of OAuth 2.0, allows a user to directly provide credentials to an application, which then exchanges them for an access token. This method is incompatible with multi-factor authentication (MFA) and was deprecated in OAuth 2.1 due to security vulnerabilities.
Impact and Response
During the attack, credential and token spray methods resulted in a daily compromise of several accounts, spiking on June 19 with 12 breaches, and reaching 30 on June 22. The assault predominantly originated from LSHIY LLC’s infrastructure, with IP addresses resolving to the U.S. and China.
Huntress observed a significant increase in credential spray attacks, noting a 155-fold surge across its customers. The attack exploited unrotated old username/password combinations and bypassed MFA setups due to inadequate configurations.
Preventive Measures
Organizations are advised to enforce MFA for all users, applications, and client types when enabling CAP. It is crucial to restrict Azure CLI applications for non-administrative users and prioritize responses based on credential validity.
Huntress researchers highlighted the need for proper CAP configuration to prevent such breaches. Misconfigured CAPs allow legacy protocols like ROPC to evade authorization flow checks, presenting vulnerabilities that threat actors can exploit.
Ultimately, this incident underscores the importance of robust security practices and the need for organizations to adapt their defenses against evolving cyber threats.
