Defense

Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Read more “Defending Against Direct Authentication Attacks in Microsoft Office 365”
Guides

Enable Number Matching in Azure MFA

Introduction

MFA was the “silver bullet” but friction and security kind of go hand in hand, the idea of a push notification and simple “authorise” is great in theory, but in practise it is vulnerable to brute force and human error. In this post we are going to check out enabling number matching authentication in Azure.

This is just one configuration option, as you can see there are loads of options for methods and specific configurations. Bear in mind the pros and cons for each one, for example SMS based 2FA can be vulnerability to SIM swapping attacks. I’m going to focus on Number Matching in Authenticator for this post: Read more “Enable Number Matching in Azure MFA”

A screenshot of a computer Description automatically generated with medium confidence Threat Intel

CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux…

Situation

Ok so the situation is as per usual a bit fluid, when this first dropped I was looking at this with a “azure” lense, however as time goes on it appears this likely also covers any Linux distro with the Azure/SCOM/OMS agents installed. This may change the profile of risk considerable, not only from a public facing attack surafce but highly likely from a lateral movement persspective. I’m going to keep updating this as more intel comes in. (sorry I’d be clearer if I had a clearer picture myself)

This week 4 vulnerabilities were disclosed which affect Azure virtual machines running the Open Management Infrastructure (OMI) agent (think PowerShell remoting). As above the scope seems to be slightly wider with regard to SCOM/AZURE and OMS/Sentinel etc. agents for Linux (I want to confirm all of this but for now it seems this is the position)

Essentially these vulnerabilities allow for both network-based remove code execution (RCE) and local privilege escalation (LPE).

  • There is evidence of exploitation in honeypots.
  • There is a public proof of concept available for the RCE.
  • The internet facing attack surface from a global perspective seems low based on the data in Shodan and Censys however I’m not convinced this is currently giving a clear picture.
    • So, check your azure networks, Vms and firewalls would be a sensible idea

Read more “CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux hosts”