Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows Hello. Show all posts
Windows Hello
2FA. Cyber Security Microsoft Azure Plaintext Windows 10 Windows Hello

Microsoft Azure Credentials Exposed in Plaintext by Windows 365

 

Mimikatz has been used by a vulnerability researcher to dump a user's unencrypted plaintext Microsoft Azure credentials from Microsoft's new Windows 365 Cloud PC service. Benjamin Delpy designed Mimikatz, an open-source cybersecurity software that allows researchers to test various credential stealing and impersonation vulnerabilities.

Microsoft's Windows 365 cloud-based desktop service went live on August 2nd, allowing customers to rent Cloud PCs and access them via remote desktop clients or a browser. Microsoft offered free virtual PC trials, which rapidly sold out as consumers hurried to receive their two-month free Cloud PC. 

Microsoft announced their new Windows 365 cloud-based virtual desktop experience at the Inspire 2021 conference, which allows organizations to deploy Windows 10 Cloud PCs, as well as Windows 11 eventually, on the cloud. This service is built on top of Azure Virtual Desktop, but it has been modified to make managing and accessing a Cloud PC easier. 

Delpy told that he was one of the lucky few who was able to receive a free trial of the new service and began testing its security. He discovered that the brand-new service allows a malicious programme to dump logged-in customers' Microsoft Azure plaintext email addresses and passwords. The credential dumps are carried out using a vulnerability he identified in May 2021 that allows him to dump plaintext credentials for Terminal Server users. While a user's Terminal Server credentials are encrypted when kept in memory, Delpy claims he could decrypt them using the Terminal Service process. 

To test this technique, BleepingComputer used a free Cloud PC trial on Windows 365. They entered the "ts::logonpasswords" command after connecting through the web browser and started mimikatz with administrative privileges, and mimikatz promptly dumped their login credentials in plaintext. 

While mimikatz was designed for researchers, threat actors frequently use it to extract plaintext passwords from the LSASS process' memory or perform pass-the-hash attacks utilizing NTLM hashes due to the power of its different modules. Threat actors can use this technique to spread laterally across a network until they gain control of a Windows domain controller, allowing them to take control of the entire Windows domain.

To protect against this method, Delpy recommends 2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard. These security measures, however, are not yet accessible in Windows 365. Because Windows 365 is oriented toward enterprises, Microsoft is likely to include these security protections in the future, but for the time being, it's crucial to be aware of the technique.
Read more »
Windows Hello
Passwordless Vulnerabilities and Exploits Windows Windows Hello

BHUSA: Windows Hello Passwordless Bypass Disclosed

 

Passwords are usually a vulnerable spot in security, which is why alternatives like Microsoft Hello, which gives a passwordless approach to authentication, are gaining popularity. While Windows Hello promises to provide a more protected experience than conventional passwords, it's a method that might have been circumvented. 

Speaking at the Black Hat USA on August 5, Omer Tsarfati, a security researcher from CyberArk, described a comprehensive attack chain that he used to circumvent Windows Hello. The problems of using regular passwords, according to Tsarfati, are well understood. They are frequently weak and readily crackable, are vulnerable to phishing attempts, and many users reuse passwords across different sites. 

The central point behind passwordless is that instead of using a password, another kind of authentication technology is used to log on to a system. Biometrics, such as fingerprint scanning or face recognition, can be used in passwordless methods. 

Windows Hello is Microsoft's version of a passwordless approach, which launched in Windows 10. Users may utilize face recognition to get access to a system, among other things, with Windows Hello. 

Tsarfati determined that he would need a separate camera to figure out how to get around Windows Hello's face recognition. To that purpose, he purchased an NXP evaluation board, which can connect to a Windows PC through USB and give camera capability. 

Tsarfati's objective was to have the USB device replicate what a genuine Windows system camera would offer to Windows Hello in order to discover what the system is actually processing as it decides whether or not to grant access. 

He found that Windows Hello requires cameras to have an infrared (IR) sensor. In order for Windows Hello to work, the camera must be capable to transmit both a color image and IR frames. 

"Windows Hello doesn't really pay attention to anything that you're sending in the color frames. It's only relying on the infrared, I sent frames of SpongeBob and it worked," Tsarfati stated. 

An attacker would just need a customized USB device that imitates a camera to bypass Windows Hello. That USB gadget would then have to be capable of transmitting an infrared picture, which could be acquired from a victim. 

Tsarfati did not go into considerable detail about how a probable attacker would proceed about capturing an IR image from a victim, but he did show with his own IR image how the Windows Hello bypass works. 

The vulnerability was officially recognized as CVE-2021-34466, which Microsoft patched in July after Tsarfati and CyberArk responsibly revealed it to Microsoft in March of this year.
Read more »
Subscribe to: Posts (Atom)