Over the past few days, researchers at Gem Security have been tracking what appears to be an organized credential stuffing attack playing out on Azure cloud environments. This post serves as a community warning about the attack, and provides recommendations that organizations can use to defend themselves against it.
What are We Seeing?
Across multiple customer environments, we are seeing numerous brute force attacks for authentication against the Azure Application “Microsoft Azure CLI” with a common user agent:
AZURECLI/2.47.0 (DEB) azsdk-python-azure-mgmt-resource/22.0.0 Python/3.10.10 (Linux-5.4.0-137-generic-x86_64-with-glibc2.31)
Most logins to the Microsoft CLI application occur with one of two types of user agent: either a browser-like UA that’s associated with a login completed using a web browser, or a “python- requests” UA that usually indicates credentials were entered directly in the CLI. This particular user agent, which we have not observed in the wild until this attack, stands out both due to the fact that it fits into neither of these common buckets and that the behavior patterns we observed associated with it are quite unusual. Tracking this user agent provides a simple, yet powerful, method to track instances of this campaign.
Interestingly enough, the initial finding leading to the exposure of this attack originated from a different detection technique provided by Gem. We monitor for unusual sign-ins to Azure applications (like Azure DevOps, Microsoft Azure CLI, and Azure Portal) by users who are only using Corporate Applications, such as Office 365 and Sharepoint.
This detector exposed users with no history of Azure CLI connections attempting their first log-in with an unusual user agent. The spike in the alert led us to take a deeper look, and identification of this user agent allowed for easier global monitoring without the need for detailed behavior analysis using our “Gem Profiles” mechanism. In our historical analysis, we have observed that only 2% of login requests included correct credentials for the relevant user, and of the requests with correct credentials, most logins still failed due to MFA.
The credential stuffing attacks are coming from numerous IP addresses, without much discernable pattern. Most IP addresses originate in the US, with smaller numbers from China and Brazil. Many of the source IPs are not on known-bad IP watch lists. As such, organizations cannot rely on IP filtering alone to defend against this attacker.
Retroactive analysis indicates that these attacks have been occurring since April 16, 2023. We are seeing this attack pattern across nearly all of our Azure customer environments, without regard to company features like industry or size.
Related Activity Patterns
Gem researchers have identified that the IP addresses used by attackers were also frequently observed making requests to log into email services using legacy email protocols which do not support multi-factor authentication. The user agent used for this email activity is also fairly common across attacks. This user agent is: BAV2ROPC
This user agent is known to be associated with successful password spraying attacks which have bypassed MFA. Of the 3,014 malicious IP addresses that Gem identified, 620 of them also used the user agent BAV2ROPC.
Research is ongoing into the further common actions taken by the attackers after a successful account compromise.
How You Can Defend Against the Attack
Gem recommends that organizations scan their telemetry for requests with the unusual user agent string to search for signs of attack. Any account with a successful login request containing the relevant user agent string should be considered compromised, and credentials should be rotated immediately. Organizations should also review their cloud logs for all actions taken by potentially compromised accounts to monitor for signs of lateral movement (paying particular attention to email access as noted above).
It’s important to note that so far, the Gem platform has not observed any malicious activity associated with the compromised accounts within the affected organizations’ cloud environments. This indicates that the original attacker is likely attempting to monetize the attack by selling the validated compromised credentials to another party, and it gives organizations who have been compromised a window of opportunity to prevent the attack from escalating.
Of course, it is also recommended to enable MFA for all users, including external vendors. MFA proved to be extremely valuable in protecting customers from this attack.
How Gem Can Help
Using Gem ensured that our customers had the visibility they needed to detect this attack. Upon discovering this attack pattern, the Gem team immediately distributed a high severity alert tracking any compromised accounts from April 16th onwards, alerting them immediately if they were impacted by the attack. Further, Gem not only helped our customers understand whether or not they were breached, but also what the impact of the breach was in their environment. Gem’s automatic log analysis and investigation capabilities profiled the actions taken by all compromised identities in the cloud, and immediately surfaced any unusual activity related to the compromised accounts.