@Secureworks just released a threat analysis regarding flaws our team found in #AzureAD Pass-through Authentication (PTA).

secureworks.com/research/azure…

The flaws allow threat actors to:
* Gather credentials
* Login with invalid credentials
* Conduct DoS attacks

1/3
How is this different from previous PTA exploits like #AADInternals PTASpy?
* After the initial compromise of a PTA agent, the exploitation is remote
* Exploitation can't be detected from the Azure portal or logs
* Exploit is persistent

2/3
What can administrators do if they detect a compromised PTA agent?
* Contact Microsoft support to remove the agent

How to protect / prevent?
* Treat all servers with PTA agent as Tier 0

3/3

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dr. Nestori Syynimaa

Dr. Nestori Syynimaa Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DrAzureAD

Jul 10
Okay, I just read JDs "scientific" paper.
TL;DR "CitizenLab has not shared all evidence publicly, so their research is fake."

According to JD, one needs to be at least a PhD student to be able to "asses" his research. So here we go.
The paper contains a lot of claims without any backing evidence. For instance, in "Author Overview":
Then to the famous APA formatting. It is indeed hard to follow them, because APA formatting was not used properly. Also, you shouldn't mix APA and footnotes.

To learn how to use APA format, JD could start by reading this quick guide:
guides.libraries.psu.edu/apaquickguide/…
Read 6 tweets
Apr 5
This @Secureworks report reveals various APIs that allowed unauthorized access to internal information of any Azure AD tenant.

1/4

secureworks.com/research/azure… Image
Most are now fixed, but two issues still exists.

First, you can query directory synchronisation status of any Azure AD tenant. This cannot be prevented, but keeping your synchronisation healthy keeps at least error messages away from others.

2/4
Second, the full name of the technical contact can be queried from any Azure AD tenant. This information is given when the tenant was created, and therefore is probably Global Admin.

The name is not shown in any admin portal, so you need contact MS support to change that.

3/4
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(