Isn't about time Microsoft and Azure got serious about security within their cloud environments?
A financially motivated cyber-gang tracked by Mandiant as 'UNC3944' is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
When SIM swapping comes into play I don't think many services will stand up to an attack. I believe even suspicious login attempt are gotten around with the MFA verification. The real answer here is that companies should require their admins to use hardware keys. Taking the SIM out of the equation takes the risk out....
@JKWiniger The question then will they mandate such controls or update their procedures to ensure potential risk is mitigated or will laziness pervade?
@Caute_cautim I have found that I seem to live in my own little bubble of rainbows, lollipop, and updated policies!! I have no idea if I am the only one who gets frustrated over the fact that we tell people what they need to do but nope! I guess it's why I feel like security still sits at the kids table...
SIM swapping attacks
Yes, we need to be disabling SMS/voice MFA, just as NIST advises, and not just for admin accounts. Most every SAML offering I have encountered offers stronger alternatives, such as TOTP, push-notification, passkeys etc. and the option to disable SMS in our own SAML IdP instances. The part I do not understand is why the SAML-as-a-service providers have not yet made SMS disabled-by-default.
That said, we need to be careful to not vilify SMS too strongly because the true enemy is plain passwords, holding about 90% of the authentication "market share". Here is an interesting article that makes that point.
Twitter provides an interesting use case. Last month they discontinued SMS for 95% of their users. Prior to the change Twitter reported the following stats. It will be interesting to see how they change in the next report (if it does not fall victim to the "chaos" occurring within Twitter).
2.6% - Percentage of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.
Types of 2FA
Auth App: 28.9%
Security Key: 0.5%
Breakdown of 2FA methods by percentage of account that have each enabled (Note: accounts can enable multiple 2FA methods)
Phishing has been a greater challenge for all organizations. The impact of admin credentials compromise would bring a huge impact on the organization. Hardware tokens would be one way to mitigate the risk and what is most important is awareness of the privileged users. They should be given Role-Based Training frequently so they better understand the risk of holding admin-level credentials and them being the favorite target of cybercriminals, therefore, they must remain vigilant and don't fall for social engineering attacks.
Further, the organization should use a Privileged Access Management system with auto-rotation of admin credentials after every few hours to further mitigate the risk of compromised credentials.