Recent discoveries by cybersecurity experts point to a disturbing new case of privilege escalation associated with a Microsoft Entra ID device, formerly known as Azure Active Directory Application. The vulnerability is exploited by leveraging an abandoned reply URL, leading to a potential breach of sensitive data.
According to technical reports published by the Secureworks Counter Threat Unit (CTU), the modus operandi of such cyber-attacks involves redirecting authorization codes via the abandoned URL, ultimately gaining the attackers access tokens. These unlawfully obtained tokens open doors to power platform API via a middle-tier service, leading to the unfortunate consequence of the perpetrators acquiring escalated privileges.
Upon the responsible disclosure of this issue on April 5, 2023, Microsoft responded swiftly and effectively by releasing an update to fix it the following day. Furthermore, Secureworks CTU has made available an open-source tool. This can be utilized by other organizations to scan and keep a check for these abandoned reply URLs, which can become potential gateways for such cybersecurity threat incidence.
Commonly known as redirect URI, a reply URL is where the authorization server directs the user upon successful authorization and after granting them an authorization code or access token. Keeping this in mind, it is vital that during the app registration process, one should correctly register this location.
During their investigation, Secureworks CTU discovered an abandoned reply URL related to Dynamics Data Integration app, associated with Azure Traffic Manager profile. This critical discovery holds the potential for perpetrators to invoke the Power Platform API, making changes to environment configurations via a middle-tier service.
Hypothetically, this loophole could empower a threat actor with the system administrator role to send requests to delete an environment. Furthermore, it could potentially abuse the Azure AD Graph API to collect vital information about their targeted victim, thereby setting the stage for more malicious activities.
However, this would typically require a victim to click on a malicious link, whereupon the authorization code issued by Microsoft Entra ID is redirected to a URL seized by the attackers. This is an alarming fact, considering an increasing trend in the use of open redirects in phishing campaigns recently noted by Kroll. These campaigns are often themed around DocuSign, craftily redirecting potential victims to malicious sites when clicked.
The vulnerability to these phishing attacks can be manipulated to favor the attackers' objectives. With deceptively constructed URLs that appear legitimate, unsuspecting users can easily be fooled. And, with most network technology not adequately equipped to scan these links for harmful content, victims unassumingly find themselves redirected to sites designed to rob them of their confidential information, from login credentials to personal data.
To stay updated with cybersecurity news, industry developments, and preventive measures, sign up for daily discussions, practical insights, and tips. At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.