A critical flaw in AzureD supported cyber criminals to get access to the digital keys in Azure cloud environment and discovered by Resecurity researchers .

The action enabled unauthorized token requests against Microsoft’s OAuth 2.0 endpoints and giving adversaries a direct path to Microsoft Graph and Microsoft 365 data.

A small critical cloud misconfiguration can give access to cyber attackers to infiltrate and this happened to Azure D when their Cloud native application configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD).

Cloud application are not merely hosted in the cloud instead they are built to thrive in a cloud environment, providing unprecedented scalability, resilience and flexibility making them game changer.

Recently the publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD). This potentially led attackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments.

This issue cannot be overlooked by enterprise as the discovery by Resecurity’s HUNTER team exposed Azure AD credentials  ClientId and ClientSecret — exposed in an Application Settings (appsettings.json) file on the public Internet.

Once the credentials lands up in hackers domain any malicious activates can be conducted and compromise an organization’s Azure-based cloud deployment simultaneously retrieve sensitive data from SharePoint or Exchange Online etc. Further abuse of Graph API for privilege escalation or persistence; and the deployment of malicious applications under the organization’s tenant.

Exploiting AzureD Flaw The attack flow

To exploit the flaw, an attacker can first use the leaked ClientId and ClientSecret to authenticate against Azure AD using the Client Credentials from OAuth2 flow to acquire an access token.

Once this is acquired, the attacker then can send a GET request to the Microsoft Graph API to enumerate users within the tenant.

This allows them to collect usernames and emails; build a list for password spraying or phishing; and/or identify naming conventions and internal accounts, according to the post.

Cyber attacker also can query the Microsoft Graph API to copy OAuth2 to take permission grants within the tenant, revealing which applications have been authorized for further permissions, they hold.

Once acquired token allows an attacker to use group information to identify privilege clusters and business-critical teams.

Protecting Enterprise from getting Azure secrets exposed.

Enterprise failing to practice regular scanning, penetration tests, or code reviews, exposed cloud files can remain unnoticed until attackers discover them and exploit them, according to the post.

Further for better security posture enterprise can restricting file access; removing secrets from code and configuration files; rotating exposed credentials immediately; enforcing least privilege principles and setting up monitoring and alerts on credential use, according to the post.

Importance of automation in cloud native application

Implement continuous integration and continuous deployment (CI/CD) pipelines to automate building, deploying, and testing cloud native applications. Manage and provision cloud infrastructure using code, allowing for version control and repeatability. 

Several benefits of following best practices when developing cloud native apps, like increased scalability, fewer occurrences of critical failures, and high efficiency

Enterprises having product based focus will go for cloud-first approach and ask questions on how to go about cloud computing etc.

What could have happened or will happen if not looked into Azure Active Directory (Azure AD) flaw?

Azure Active Directory (Azure AD) termed as high impact in terms of vulnerability.

Once authenticated, attackers can:

• Retrieve sensitive SharePoint, OneDrive, or Exchange Online data via Graph API calls.
• Enumerate users, groups, and roles, mapping out the tenant’s privilege model.
• Abuse permission grants to escalate privileges or install malicious service principals.
• Deploy rogue applications under the compromised tenant, creating persistence and backdoors.

Enterprises must perform compliance checks to ensure that application designed meets industry standards and regulatory requirements. Once robust auditing and reporting mechanisms is on track that changes any access to sensitive data. 

Source: JSON Config File Leaks Azure AD Credentials

Critical Flaw in Azure AD Lets Attackers Steal Credentials and Install Malicious Apps