Am I Vulnerable? Scan Myself

We developed a scanner to let everyone know if they have vulnerable applications to the Black.Direct attack

Name:
Email:
Company:

The "name", "email" and "company" fileds are optional

I have read the of the scan and agree to them



Introduction

BlackDirect is a vulnerability that allows attackers to takeover Microsoft and Azure Accounts. The vulnerability exists within specific Microsoft-created Azure applications that trust unregistered URLs. Attackers can take ownership of these URLs which will allow them to use the victims’ permissions to hijack identity tokens. Once they have the identity tokens, the attacker can impersonate the victims and perform malicious actions on their behalf.

The vulnerable applications -- called “Enterprise Applications” in Azure use OAuth protocol and contain a list of URLs that are trusted. Since those URLs and subdomains are not registered by Microsoft, they can be registered by anyone (including an attacker). What makes the severity of this vulnerability so high is that those apps are approved by default in any Azure environment and have the permissions to get the users’ identity token – making it possible for the attacker to take over the victims’ accounts and perform actions using their permissions – including having access to Azure and Active Directory resources, Virtual Machines and more.

Unfortunately, additional security methods like Multi-factor Authentication (MFA) won’t help to mitigate the risk as the attackers are already passed the MFA approval process when they hijack the victims’ identity tokens.


Technical Information

For more technical information visit our blog post about "BlackDirect"




POC


Q&A

Who is affected?

Anyone who has Microsoft or Azure accounts would be vulnerable to this kind of attack.

Has the vulnerability been reported / fixed?

Following our report to Microsoft, the specific vulnerable URLs we discovered were fixed – eliminating their risk. However, there could be more vulnerable Azure applications in your environment which trust vulnerable URLs so we recommend you check the different applications that are being trusted in your Azure environment.

What can a hacker do with this?

Ultimately an attacker could impersonate and perform all the actions that the victim can so the severity of the outcome depends on the permissions of the compromised user. If the user had sensitive permissions in its Azure environment, the attacker could initiate a full takeover of the environment. On the other hand, if the victim has only read permissions, the attacker will only gain read permissions, but could perform reconnaissance and access data on behalf of that compromised user.

How practical are these attacks?

The only requirement for this vulnerability to be exploited is to have the victim click on a link or visit an infected website, so it’s relatively easy to execute without alerting the victim.

How can I protect myself against feature attacks?

1) Stay alert to Social Engineering attacks – this is how the attacker could convince potential victims to visit an infected website or click a link.
2) Surf only to legitimate websites that you trust
3) Disable unused applications
4) Make sure that all the trusted redirect URIs configured in the enterprise application are under your ownership and remove unnecessary redirect URIs
5) Make sure the permissions that the OAuth application asks for are the least privileged one it needs


About Us

Who found this?

This vulnerability was discovered by @OmerTsarfati a security researcher from CyberArk Labs.

About CyberArk Labs

CyberArk’s research teams conduct security research on a wide range of technologies.
Our researches focus on the red side perspective and are intended to be shared with the security community worldwide, with the goal of having better security practices in our systems and environments.
Our research is published regularly on Threat Research Blog
We can also be contacted through CyberArk Commons Channels -- an open community for developers, engineers and security professionals to discuss open source projects, DevOps, and the latest cybersecurity research.