New Sunburst & Golden SAML Video

New Sunburst & Golden SAML Video
Photo by Michael Geiger / Unsplash

After 6 months from RSA, I'm pleased to announce I was able to add cheap video graphics to the video but add actual narration!

So, for the first time, you can see and hear what is happening while you watch the same TTPs the adversary executed to jump from on-premises to the cloud, bypassing MFA.

Equally interesting, MSFT just came out with another Nobellium report, the same actor who they attribute to Sunburst. What is amusing is, after I publicly riduculed them for not even having the right auditing in place on Azure AD to enable customers to defend themselves, they since fixed Azure AD, 6 months after seeing the attack in the wild (it wasn't the first time they saw the attack in the wild, mind you...).

With the new logs, of course MSFT would see what was really going on, what CrowdStrike and I were discussing behind the scenes to lawmakers and other public figures. It seems like MSFT has realized they were blind due to the lack of auditing, and came to the realization that magically the adversary was doing malicious things again once they fixed their own auditing failures on AAD.

Sadly, the same method of actually preventing this attack against customers, by disabling modern authentication (SAML) and using Seamless Sign-On (based on Kerberos, what MSFT termed "legacy") led to yet another weakness on yet again, auditing. Sadly, as reports come in, MSFT's SSO architecture is blind to brute force attacks.

Here's the Secureworks article:

Undetected Azure Active Directory Brute-Force Attacks
In late June 2021, Secureworks® Counter Threat Unit™ (CTU) researchers discovered a flaw in the protocol used by the Azure Active Directory Seamless Single Sign-On feature.

This is 2021. Why is MSFT releasing product that doesn't even have the right auditing place?

And if that is the case, why is MSFT now coming out, telling everyone its Partner ecosystem is compromised, leading to customers' clouds being accessed and its up to the customer's to use audit logs to ensure nothing nefarious is happening?

Probably most importantly, why is Microsoft's partner ecosystem randomly have access to its customer's data? Seem like a backdoor especially if the customer can't disable it? Shouldn't MSFT use its own conditional access to help secure its partners?

Seems strange. It's clear Microsoft is atill teyijg to get its duck in a row. Until then... goodluck using O365 or M365 (including MDE). With O365 comes Azure AD, which comes with a historical nightmare of security issues, lack of auditing, a porous parnter ecosystem, and downtime.

Happy hunting friends and stay safe,

Andrew