Home/News/Azure CLI Password Spray Attacks Compromise 78 Microsoft Accounts
The Hacker News3 min read

Azure CLI Password Spray Attacks Compromise 78 Microsoft Accounts

Cybersecurity researchers have identified a significant, ongoing, and automated password spray attack targeting Microsoft's Azure command-line interface (CLI). The attack, detailed by Huntress, has successfully compromised at least 78 Microsoft accounts. The malicious activity was observed between June 12 and June 26, originating from an IPv6 address range (2a0a:d683::/32) managed by the internet infrastructure provider LSHIY LLC, identified by Autonomous System number AS32167. The attackers made over 81 million attempts to gain unauthorized access.

The attackers employed a brute-force method, attempting to guess user credentials by systematically trying common passwords and variations. This technique, known as a password spray attack, is designed to bypass account lockout policies by spreading login attempts across many accounts, making it harder to detect. The scale of the attack, with over 81 million attempts, indicates a highly automated and persistent effort by the threat actors.

While the exact impact of the compromised accounts has not been fully detailed, the compromise of Azure CLI access can grant attackers significant control over cloud resources. This includes the ability to deploy, manage, and delete cloud services, access sensitive data stored within Azure, and potentially pivot to other systems within an organization's cloud infrastructure. The researchers have urged organizations to implement robust security measures to protect their Azure environments.

Huntress recommends several mitigation strategies for organizations to defend against such attacks. These include enabling multi-factor authentication (MFA) for all Azure accounts, enforcing strong password policies, and regularly reviewing Azure activity logs for suspicious login attempts or unusual resource modifications. Implementing conditional access policies that restrict access based on location, device, or user risk can also significantly enhance security. The ongoing nature of the attack underscores the persistent threat landscape faced by cloud environments and the critical need for continuous monitoring and proactive security practices.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next