TLP White HC3: Alert Amplify Alert: No Fix for Azure Active Directory Password Brute-Forcing Flaw September 28, 2021

Executive Summary

A newly discovered bug in Microsoft Azure's Active Directory implementation enables a single-factor brute-forcing of an Active Directory instance without authentication. Currently there is no available patch for this vulnerability.

Report

New Azure Active Directory password brute-forcing flaw has no fix
https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/

Impact to HPH Sector

This vulnerability is expected to impact the health sector due to the fact that Microsoft Active Directory technology is ubiquitous and, as such, is heavily utilized. The nature of this vulnerability allows for compromise with minimal possibility of detection and the lack of a patch makes it further challenging, leaving administrators and network defenders with minimal visibility into an attacker's actions. HC3 recommends healthcare organizations take mitigation actions in accordance with their unique risk posture and continue to monitor for patches or further recommendations.

References

Hit Me Baby One More Time- New Azure Active Directory password brute-forcing flaw has no fix
https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/

New Azure Active Directory password brute-forcing flaw has no fix
https://www.techzonedaily.com/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/

The new Azure Active Directory password brute force cracking vulnerability has not been fixed
https://updatednews24.com/the-new-azure-active-directory-password-brute-force-cracking-vulnerability-has-not-been-fixed/
Contact Information
If you have any additional questions, please contact us at HC3@hhs.gov