December 11, 2024 at 03:50PM
Researchers at Oasis Security exploited a Microsoft Azure multifactor authentication vulnerability, dubbed “AuthQuake,” allowing unauthorized access to user accounts, including Microsoft 365 services. The flaw, caused by a lack of rate limits during MFA sign-in attempts, was fixed by Microsoft in October 2023. Recommendations for improved security were provided.
### Meeting Takeaways
1. **Vulnerability Discovery**: Researchers from Oasis Security identified a critical vulnerability in Microsoft Azure’s multifactor authentication (MFA) that allowed unauthorized account access in about an hour.
2. **Mechanism of Attack**: The flaw stemmed from a lack of rate limiting for MFA login attempts, enabling attackers to execute multiple sign-in attempts without detection.
3. **Affected User Base**: The vulnerability potentially exposed over 400 million paid Microsoft 365 accounts to account takeover risks.
4. **Bypass Technique**: Researchers created a method called “AuthQuake,” which involved rapidly generating new sessions to exhaust the available combinations of a 6-digit MFA code.
5. **Attack Notifications**: Account owners did not receive alerts during repeated failed sign-in attempts, underscoring the stealthy nature of the vulnerability.
6. **Microsoft’s Response**: Microsoft acknowledged the issue in June and implemented a stricter rate limit as of October 9, which significantly reduces the number of failed attempts allowed.
7. **MFA Code Validity**: The timeframe for guessing a single code was found to be 2.5 minutes longer than recommended, allowing for greater attack success rates; codes should ideally expire after 30 seconds according to RFC-6238 standards.
8. **Best Practices Recommended**:
– Utilize authenticator apps or strong passwordless methods for MFA.
– Regularly change passwords.
– Implement email alerts for failed MFA attempts.
– Enforce rate limits on sign-in attempts and lock accounts after a set number of failed attempts.
9. **Conclusion**: While MFA remains a security staple, this incident highlights that no system is infallible, and organizations must adopt comprehensive security measures and remain vigilant against potential vulnerabilities.