In a significant cybersecurity alert, Huntress, a cybersecurity firm, has identified a major password spray campaign targeting the Azure Command-Line Interface (CLI) within Microsoft 365 environments. This extensive operation has brought to light the vulnerabilities inherent in cloud-based systems when under siege by sophisticated threat actors.
Scope and Impact of the Campaign
Between June 12 and June 21, Huntress recorded an alarming number of over 81 million login attempts directed at its clientele. This surge in activity led to the compromise of 78 user accounts across 64 different organizations. The most intense period of this campaign occurred around June 22, when the attackers successfully infiltrated 23 businesses in a single day.
Most login attempts were traced back to AS32167, an autonomous system belonging to the internet hosting provider LSHIY LLC. This campaign is part of a broader trend, with Huntress noting a 155-fold increase in credential spray attacks over the past six months across its customer base.
Technical Aspects of the Attack
The attackers employed the OAuth Resource Owner Password Credentials (ROPC) flow, a deprecated method in OAuth 2.1, to validate credentials. This approach enables the generation of a new user token upon correct credential input, bypassing Multi-Factor Authentication (MFA) if it is not integrated into the ROPC flow.
Huntress found weaknesses in the MFA configurations of compromised accounts. Some organizations had MFA policies that were not enforced universally, applied only to specific user groups, or implemented for certain geographic locations. Notably, eight affected businesses had no MFA policies in place, highlighting the importance of robust MFA configurations.
Response and Recommendations
The attacks originated from an IPv6 address range tied to LSHIY, with locations in Hong Kong, Wuhan, China, and New York. Despite Huntress reporting the activity to LSHIY, there has been no response from the provider.
Huntress advises organizations to reassess their MFA strategies, ensuring comprehensive coverage that includes the ROPC authentication flow. While MFA remains a crucial defense mechanism, it must be properly configured to be effective against sophisticated credential attacks.
This incident underscores the importance of staying vigilant and proactive in updating security measures to protect against evolving cyber threats. Organizations are urged to enhance their security protocols, particularly around cloud services and authentication processes, to mitigate future risks.
