Hey, guys! How y’all doing?
It’s just been 2 weeks since the launch of Microsoft’s Windows 365, but it has faced so many challenges already. Today, we’re going to discuss one of those challenges. We’re going to look into the Windows 365 vulnerability that allowed for Microsoft Azure’s credentials to be leaked in clear-text.
Everything started when a security researcher figured out a way to dump a user's unencrypted plaintext Microsoft Azure credentials from Microsoft's new Windows 365 Cloud PC service using Mimikatz.
Who is the security researcher and what is Mimikatz?
Mimikatz is an open-source cybersecurity project created by Benjamin Delpy that allows researchers to test various credential stealing and impersonation vulnerabilities. Delpy is the security researcher who unearthed this problem using his own software.
According to Mimikatz Github page:
“It's well known to extract plaintext passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ... maybe make coffee?”
Just like all ethical hacking tools, Mimikatz was created for researchers and ethical hackers. However, due to the power of its capabilities, Mimikatz is commonly used by threat actors to dump plaintext passwords from the memory of the LSASS process or perform pass-the-hash attacks using NTLM hashes.
With Mimikatz, threat actors can spread laterally throughout a network until they control a Windows domain controller - which will allow them to take over the Windows domain.
Okay, but what is MIcrosoft Windows 365 Cloud PC service?
Launched on August 2, 2021, Windows 365 cloud-based desktop service is a new service that allows users to rent Cloud PCs and access them via remote desktop clients or a browser.
To allow users to test the new service, Microsoft had offered free trials of virtual PCs. However, trials had to be stopped as Microsoft ran out of servers as people rushed to get their free Cloud PC for 2 months.
Figure 1: Free Windows 365 trials halted
Delpy was one of the lucky few who could get their hands on a free trial and began testing the new service's security.
With the limited access, the penetration testing began!
He discovered that the brand new service allows a malicious program to dump the Microsoft Azure plaintext email address and passwords for logged-in users.
What did Benjamin Delfy discover?
On August 8, Delfy posted a tweet on his Twitter account (@gentilkiwi) where he uploaded a short screen recording of him demonstrating his discovery.
Using his own software, Benjamin showcased that anyone accessing your computer can steal your Azure password. This is due to users needing a Microsoft Azure account to access Windows 365.
He performed the credential dumping by exploiting a vulnerability he found back in May 2021. Upon successful exploitation, this vulnerability allows him to dump the clear text credentials for a user who’s logged into a Terminal Server.
While a user's Terminal Server credentials are encrypted when stored in memory, Delpy says he could trick the Terminal Service process into decrypting them for him.
Delfy says:
“Even better, I asked the terminal server process to decrypt them for me (and technically, the terminal server process asked the kernel to decrypt it for itself) … Because only the Terminal Server can ask for this kind of own decryption, I had to trick it to decrypt the credentials for me.”
Can Delfy’s technique be replicated?
Yes! And, it works!
BleepingComputer used a free Cloud PC trial on Windows 365 to test Delfy’s technique.
After connecting through the web browser and launching Mimikatz with Administrative privileges, BleepingComputer entered the ‘ts::logonpasswords’ command and Mimikatz swiftly dumped login credentials in plaintext, as shown below.
Figure 2: Mimikatz listing Azure account credentials in plaintext
This works over the web browser as it's still using the Remote Desktop Protocol.
What’s the issue here, though?
Many may be wondering what the big deal is if you need to be an Administrator to run Mimikatz and you already know your Azure account credentials.
In the scenario above, you are right, and it’s not a big issue.
However, consider this:
What happens if a threat actor gains access to your Windows PC device to run commands?
For instance, let's say a user opens a phishing email with a malicious attachment on their Windows 365 Cloud PC that somehow bypasses Microsoft Defender.
Once the user unknowingly enables the malicious macros in the infected document, it can install a remote access program so that a threat actor can access the Cloud PC - anytime, anywhere.
From there, it’s just a matter of time to gain administrative privileges. This can be easily done by exploiting vulnerabilities like malware, phishing attacks, Printnightmare, or Hivenightmare, and then dump clear-text credentials with Mimikatz.
Using the exposed credentials, threat actors can spread laterally through other Microsoft services and potentially a company's internal network.
Delpy explained:
"It’s exactly like dumping passwords from a normal session. If I can dump your password in TS sessions I can use it on other systems where you can have more privilege, data, etc. … It's common for lateral movements and gaining access to more privileged data on other systems. Particularly useful on VDI systems where other users are also logged in.”
Is there any protection against this attack?
Unfortunately, for now, there are no security features present in Microsoft Windows 365.
2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard are recommended to protect against this method. However, these security features are not available in Windows 365 at the time of writing.
As Windows 365 is geared towards the enterprise, Microsoft will likely add these security features in the near future, but for now, it is important to be aware of this technique.
Let’s hope Microsoft is working on fixing this issue as soon as possible.
So, there you have it! For more interesting news and updates, sit tight and stay tuned.
Until next time, friends!
Credits: BleepingComputer, FossBytes