Critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard could allow cyber criminals to access various cloud applications including core Microsoft services.
Microsoft 365 is the most notable cloud service that can be infiltrated in such a way due to the way the platform’s session login is designed, according to Proofpoint, with hackers able to gain full access to a target’s account. Information including emails, files, contacts, among other data points would be vulnerable to such an attack.
This is in addition to the MFA bypass granting access to a host of other cloud services, including production and development environments such as Microsoft Azure as well as Visual Studio.
The flaw lies in the implementation of the WS-Trust specification, an OASIS standard that is used for renewing and validating security tokens and establishing trusted connections. Proofpoint researchers claim that WS-Trust is inherently insecure and that Microsoft’s identity providers implemented the standard with a number of bugs.
These vulnerabilities can be exploited to allow an attacker, for example, to spoof their IP address to bypass MFA through a simple request header manipulation. Changing the user-agent header, in another example, may also cause the system to misidentify the protocol, and believe it to be using ‘modern authentication’.
“Most likely, these vulnerabilities have existed for years. We have tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues,” Proofpoint said.
“Vulnerabilities require research, but once discovered, they can be exploited in an automated fashion. They are hard to detect and may not even appear on event logs, leaving no trace or hint of their activity. Since MFA as a preventative measure can be bypassed, it becomes necessary to layer additional security measures in the form of account compromise detection and remediation.”
With MFA becoming an essential and more widely-adopted additional layer of security to reinforce username-and-password logins, cyber criminals are certainly more attracted to identifying and implementing bypasses.
This is particularly pertinent during the coronavirus crisis, where the mass shift to remote and home working meant critical apps and services were being accessed from insecure locations, with protocols such as MFA in place to bolster cyber security.
IT Pro approached Microsoft for comment but had not received a response at the time of writing.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Maximizing Microsoft 365 Security: How Cloudflare enhances protection and adds valueWebinar Strengthen your defenses, proactively block attacks, and reduce risks
-
VPN replacement phases: Learn others’ real-world approachesWebinar Accelerate Zero Trust adoption
-
Understanding NIS2 directives: The role of SASE and Zero TrustWebinar Enhance cybersecurity measures to comply with new regulations
-
From legacy to leading edge: Transforming app delivery for better user experiencesWebinar Meet end-user demands for high-performing applications
-
Navigating evolving regional data compliance and localization regulations with Porsche InformatikWebinar A data localization guide for enterprises
-
Strategies for improving security team efficiencyWebinar Get more value from your digital investments
-
Understanding NIS2 directives: The role of SASE and Zero Trust
Webinar Enhance cybersecurity measures to comply with new regulations
-
Navigating evolving regional data compliance and localization regulations with Porsche Informatik
Webinar A data localization guide for enterprises
