New OAuth Based Attack Let Hackers Bypass Microsoft Entra Authentication Flows to Steal Keys
There was a major challenge in the security world just before the close of the year in the form of ConsentFix, an ingenious attack that utilizes OAuth to harvest authorization codes in Microsoft Entra systems via legitimate authentication flows.
This type of attack is a further development of what was known as ClickFix and has shown attackers are constantly developing and expanding their methods of targeting cloud based authentication systems.
ConsentFix works by building a malicious Microsoft Entra login URL that attacks the Azure CLI app and Azure Resource Manager. Users are tricked into clicking on the malicious URL by ConsentFix.
When an unsuspecting user visits a malicious site, this attack chain is initiated. The attacker uses OAuth 2.0 authorization code flows, which is a common form of authentication, seen by most users on a day to day basis as they log into cloud services.
The user is then able to authenticate successfully with the offered credentials, and the browser is redirected to a purported legitimate response address.
Rather than the functional application receiving the authentication code, the user receives an error because no service is running on the specified localhost address.
Rather, the problem resides in what follows next. This error page still carries the sensitive authorization code through the redirect URL, where the attacker only asks the victim to copy and paste it through a drag and drop process.
As the Glueck Kanja analysts highlighted, “This technique is quite impressive because it doesn’t require the implementation of the Conditional Access policies and device compliance policies and is therefore dangerous in environments with strong security measures in place.”
Detection and Response Mechanisms
To effectively identify this attack, it is important for security teams to be aware of how ConsentFix appears in logs. In this attack, Azure sign in logs will show two different authentication events that originate from the same session.
The first process is a genuine usage process and is indicated by an interactive sign-in from the victim's IP location. The second process is from the attacker's infrastructure and is indicated by a non interactive sign in as the attacker claims the compromised authorization code for the access token.
In fact, the timing relationship between these occurrences is where the best detection opportunity is found. Azure authorization codes are valid for about ten minutes, setting boundaries on when attackers have to exchange tokens.
Based on the correlation of equal SessionIDs, ApplicationIDs, and UserIDs between the two events within the specified period of time, the attacker attempts will be identified by the security analyst.
Additionally, the IP addresses being used will likely change from event to event, as the user and the attacker will be using different computers.
More sophisticated detection methods are able to filter out real world automated scenarios such as GitHub Codespaces, which performs this authentication dance in only a matter of seconds.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
