Cloud identity management is a cornerstone of modern cybersecurity, with Microsoft Entra ID (formerly Azure AD) Conditional Access playing a pivotal role. This system evaluates user locations, risk levels, and device compliance before granting access, acting as a crucial digital gatekeeper.
Critical Vulnerabilities Uncovered
An authorized red team assessment by Howler Cell has revealed a significant vulnerability that circumvents these essential protections. By leveraging valid credentials, which can be obtained for a relatively low price on underground markets, researchers successfully infiltrated a tenant hosting over 16,000 users. This breach occurred without deploying malware or interacting with corporate devices, underscoring weaknesses in device registration and compliance checks.
Exploiting Device Registration Service Flaws
The attack strategy mirrored techniques employed by Storm-2372, a group believed to be linked to Russian state actors. Both parties exploited vulnerabilities in the Device Registration Service (DRS) endpoints to gain initial access, illustrating that even blocked credentials can be a starting point for adept attackers.
Howler Cell’s findings highlight how attackers bypassed CA policies resulting in an AADSTS53003 error. By targeting the DRS endpoint through an unprotected device code authentication flow, researchers managed to carry out the attack successfully.
Phantom Device Registration and PRT Manipulation
The team registered a phantom device using a signed Azure AD certificate and private key, exploiting the DRS API’s lack of verification for physical Windows machines. This allowed a Linux-based device to pose as a legitimate endpoint, employing the MITRE ATT&CK technique for Account Manipulation (T1098.005).
With the phantom device in place, a Primary Refresh Token (PRT) was generated with falsified device claims. When exchanged for an access token, Azure AD mistakenly recognized the session as device-authenticated, thus bypassing CA policies requiring compliant devices.
Implications and Defense Strategies
Further investigation revealed that the phantom device successfully bypassed Intune’s enrollment restrictions by claiming hybrid domain-join status. This allowed the device to be recognized as compliant, despite missing essential security features like BitLocker.
Howler Cell identified additional risks within hybrid identity environments. They found 255 highly privileged directory roles, including Global Administrators, synced from on-premises Active Directory, offering a direct avenue for a complete tenant takeover.
To mitigate these vulnerabilities, organizations need to reinforce their device trust models. Suggested measures include enforcing Conditional Access policies that block device code flows, mandating TPM 2.0 attestation for PRT issuance, and requiring external device health validation through Microsoft Health Attestation Service. Additionally, limiting privileged directory roles to cloud-only accounts managed via Privileged Identity Management can provide further protection.
Stay informed on the latest cybersecurity insights by following us on Google News, LinkedIn, and X. For more information or to share your story, contact us today.
