Presentation Material

Abstract

The majority of Fortune 500 organizations are using Azure Active Directory (Azure AD) as Identity and Access Management (IAM) solution. The high adoption rate makes Azure AD a lucrative target for threat actors, including state-sponsored actors like APT29/Nobelium.

Azure AD is leveraging Microsoft’s not-so-well-documented Evolved Security Service (eSTS). eSTS hides multiple security token services so that users see only Azure AD. While studying how eSTS works, we were able to identify flaws that allow users to log in to resource tenants using just username and password, regardless of their home tenant Conditional Access (CA) policies or MFA settings.

Azure AD Premium P2 includes an Identity Governance service which allows internal and external users to request entitlement to Access Packages. Access Packages are a collection of permissions to provide access to specified organization’s services, such as SharePoint sites, Teams, and applications. We observed that the APIs used by the Identity Governance service allowed access to privileged information for anonymous users.

This talk will provide technical details of our findings and how to exploit them. This includes viewing the target user’s tenant membership information after bypassing home tenant MFA and listing creators (administrators) of all Access Packages of any organization.

AI Generated Summary^{may contain errors}

Here is a summary of the content:

The speaker discusses their experience as an attacker/threat actor who discovered vulnerabilities in Microsoft’s Azure Active Directory (AAD) and Identity Governance. They found that:

1. In AAD, they could list 20-30 administrators’ email addresses without MFA, which can be used for social engineering or brute forcing.
2. Access packages can be used to list some administrator names, even if not all.

The speaker shares their timeline of interactions with Microsoft, including:

• Reporting the issue on February 25th and receiving a response that it wasn’t serious enough for a bounty.
• Providing documentation to prove its severity, leading to a re-evaluation and consideration as an in-scope high-vulnerability report.
• Receiving a bounty after the issue was fixed on May 19th, 2022.
• Discovering the same vulnerability again on December 20th, 2022, which led to a new case being opened.
• Following up on the case assessment and receiving a response that it’s still under review.
• Sharing the earlier case number, leading to a change in severity from low to medium.
• Finally, after presenting at the Black Hat Asia conference, Microsoft responded, fixing the issue and awarding a bounty.

The speaker concludes by highlighting three key takeaways:

1. Hometown MFA can be bypassed.
2. Tenant membership can be listed without MFA.
3. Access packages can be used to list some administrator names.

The session ends with an invitation for questions from the audience.