Microsoft’s Windows 365 Cloud PC may only be a few weeks old, but a security flaw has already been found that can be exploited to extract Microsoft Azure credentials.
The credential extraction is made possible by the open-source tool Mimikatz, created by security researcher Benjamin Delpy (one of the names associated with exposing the PrintNightmare vulnerabilities). Admin privileges are required to execute the exploit it is concerning nonetheless.
The exploit takes advantage of another vulnerability discovered by Delpy earlier in the year. He discovered a way to grab credentials for users logged into a Terminal Server, using the Terminal Service process to decrypt encrypted data.
Delpy tweeted about the vulnerability, using an animated GIF to show Mimikatz in action:
Bleeping Computer also tested the vulnerability using a trial account of Windows 365 Cloud PC. Lawrence Abrams explains:
After connecting through the web browser and launching mimikatz with Administrative privileges, we entered the
ts::logonpasswordscommand and mimikatz quickly dumped our login credentials in plaintext […] This works over the web browser as it’s still using the Remote Desktop Protocol.
While the fact admin privileges are needed to exploit the vulnerability, there are so many ways that this can be achieved that Delpy’s discovering remains deeply worrying. At the moment, Windows 365 does not support security features such as two-factor authentication, Windows Hello and smart cards, these are the sort of measures that are needed to protect credentials.
You can find out more about Mimikatz on GitHub.