Our Blog



Beware Password Spray style attacks targeting your ADFS

While we still need to rely on passwords, we now have to be aware of ‘Password Spray’ style attacks which target our ADFS. In the past, attackers would simply launch a ‘Brute Force Attack’ to try and effectively guess someone’s correct password to gain access – these days attackers are moving towards a more stealthy approach where they might automate this process over a much longer time frame so they don’t trip any alarms or trigger any alerts.

The FBI released this Alert in late March 2018: Brute Force Attacks Conducted by Cyber Actors.

This “Slow and Low” method appears to be becoming more commonplace and one area in particular that has been targeted is a customer’s externally facing ADFS mechanism – this is particularly seen as a valuable target because the malicious traffic can sometimes be hidden/masked amongst genuine traffic and it can offer very valuable credentials possibly across more than one organisation if successful.

Given that the ADFS must be connected to the public internet to work it does pose something of an attack vector that can be vulnerable. If you even slightly believe “it can’t be that easy to gain access through ADFS,” then you might want to review this very informative article from Beau Bullock @ BlackHills InfoSec on how this can be achieved! In essence, once you have determined the valid accounts, simply try all accounts with one password at a time and this should leave enough time between each attempt to allow the “lockout threshold” timeout to expire.

So, with ADFS being a potential weak point that could be compromised to gain entry, how can we improve the security around this authentication mechanism? On March 5th of this year, Microsoft released this article on Azure AD and ADFS best practices – Defending against password spray attacks, in which multi-factor authentication (MFA) and a number of other elements that can be applied to improve security – however Microsoft has now released an updated and more improved article – Monitor your ADFS sign-in activity using Azure AD Connect Health’s risky IP reports.

With Azure AD Connect Health, Microsoft’s “Risky IP Reports” now lets you:

  • Easily detect risky external IP addresses that are generating large numbers of failed logins
  • Get instant email notifications when risky IP addresses are detected
  • Download detailed reports to perform offline analysis or share within your organisation
  • Customise your threshold settings to match the security policy of your organisation

A mechanism to differentiate a single user attack pattern versus multi-user attack pattern.

One simple indicator of malicious activity: "Unique Users Attempted" (count of unique user accounts attempted from the IP address during the detection time window. This provides a mechanism to differentiate a single user attack pattern versus multi-user attack pattern.)

We have recently seen incidents just like this where customers were asking specifically for this level of detail to get a better handle on exactly what was going on. In some cases it’s not just the security folks wanting background information. Customers are requesting information in a much easier to digest “Executive Summary” format now as well because it can be so time consuming to create this summary – and this is *exactly* what they need for the C-Level and the Board.

Summary: If you have ADFS in play, either on-premises or in Azure then it would be a good idea to consider improving your security posture with this control.

And hopefully somewhere down the track we can get to a point where we don’t even need or use passwords anymore… But in the meantime we hope this helps you improve your security posture. 

Posted by: David Caddick, TS - Enterprise Solutions - Cloud Design & Integration | 10 May 2018

Tags: Privacy, Security, ADFS

Top Rated Posts

Blog archive

Stay up to date with all insights from the Empired blog