A critical flaw in the company's rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Source: Fabio Principe via AdobeStock Photo

Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Researchers at Oasis Security discovered the flaw, which was present due to a lack of rate limit for the amount of times someone could attempt to sign in with MFA and fail when trying to access an account, they revealed in a blog post on Dec. 11. The flaw exposed the more than 400 million paid Microsoft 365 seats to potential account takeover, they said.

When signing into a Microsoft account, a user supplies their email and password and then selects a pre-configured MFA method. In the case used by the researchers, they are given a code by Microsoft via another form of communication to facilitate sign-in.

The researchers achieved the bypass, which they dubbed "AuthQuake," by "rapidly creating new sessions and enumerating codes," Tal Hason, an Oasis research engineer, wrote in the post. This allowed them to demonstrate "a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code," which is 1 million, he explained.

"Simply put — one could execute many attempts simultaneously," Hason wrote. Moreover, during the multiple failed attempts to sign in, account owners did not receive any alert about the activity, "making this vulnerability and attack technique dangerously low profile," Hason wrote.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. "While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day," Hason wrote.

**Ample Time to Guess MFA Code**

Another issue that allowed for the MFA bypass was that the available timeframe an attacker had to guess a single code was 2.5 minutes longer than the recommended timeframe for a time-based one-time password (TOTP) according to RFC-6238, the Internet Engineering Task Force (IETF) recommendation for implementing MFA authentication.

RFC-6238 recommends that a code expires after 30 seconds; however, most MFA applications provide a short grace period and allow these codes to be valid longer.

"This means that a single TOTP code may be valid for more than 30 seconds," Hason explained. "The Oasis Security Research team's testing with Microsoft sign-in showed a tolerance of around three minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent."

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

This extra time meant that the researchers had a 3% chance of correctly guessing the code within the extended timeframe, Hason explained. A malicious actor trying to crack the code would have been likely to proceed and run further sessions until they hit a valid guess, which the researchers proceeded to do without encountering any limitations, he said.

After 24 sessions of trying to guess the code, which would take around 70 minutes, a malicious actor would already pass the 50% chance of hitting the valid code. In their research, the Oasis team attempted this method several times, and once even found they guessed the code early on in the process, exposing how quickly MFA could be bypassed.

**Best Practices for Safe MFA**

While MFA is still considered one of the most secure ways to protect passwords to online accounts, the research demonstrates that no system is completely attacker-proof. Oasis recommended that organizations continue to use either authenticator apps or strong passwordless methods for protecting user accounts from malicious attacks.

Related:Europol Cracks Down on Holiday DDoS Attacks

Other best practices include one that has long been recommended for years as part of basic password hygiene: users should change passwords to their online accounts frequently. Moreover, any organization using MFA to protect accounts should add a mail alert to notify users of failed MFA attempts, even if they don't notify them of every failed password sign-in attempt, Hason noted.

This latter advice also should be applied to any organization building MFA into a system or application, according to Oasis. MFA app designers also should ensure they include rate limits that don't allow for indefinite attempts to sign in, and lock an account after a certain time to limit successful MFA attacks or bypasses.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Researchers Crack Microsoft Azure MFA in an Hour


Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.



Es conveniente leer la información siguiente antes de actualizar a esta versión

**

**Información importante sobre los ejecutables de 32 bits para Windows**



**

Esta es la última versión en la que se distribuirán los ejecutables de 32 bits para Windows.

**

**Los comandos y opciones de compactar y vaciar tabla estaban disponibles solamente en servidores cloud y con suscripción (Resuelta en 32.1)**



**

**

Nuevo sistema de activación de licencias de Velneo vServer



**

A partir de la versión 32 cambia el sistema de licenciamiento y las licencias se activarán desde

Velneo vAdmin

. Haz clic

aquí

para ampliar información al respecto.

En mi Velneo, ahora verás que una licencia tiene dos códigos distintos, uno con el formato **VLS-XXXX-XXX**, que será el que se deberá usar para activarla con la versión 32 y superiores y el otro, que usaremos cuando queramos activarla en servidores de la versión 31 o anteriores, que se seguirá activando con

Velneo vActivator

.

**

A partir de esta versión todos los servidores arrancarán con protocolo VATPS



**

El

protocolo VATPS

permite establecer conexiones seguras estándar TLS/SSL lo que provee de privacidad e integridad a las comunicaciones en red entre todos los componentes de Velneo. Es decir, no solo la comunicación se envía cifrada entre los componentes, si no que es inviolable, ya que garantiza que nadie puede modificar la información que se transmite, además de garantizarnos con qué servidor nos hemos conectado.

**

Incidencia con controles dibujo en dispositivos con procesadores Apple Silicon con sistema operativo Ventura



**

Hemos detectado una incidencia que produce un efecto de ralentización del interfaz la primera vez durante unos segundos cuando visualizamos o editamos un formulario con un control dibujo/objeto dibujo. Parece una incidencia de sistema operativo, ya que este efecto se produce también en versiones anteriores ya publicadas en las que no se observaba ese comportamiento y ha comenzado a producirse tras la última actualización de macOS Ventura en equipos con procesadores Apple Silicon.

**

Mejoras de seguridad en validación de usuario y contraseña



**

Con el fin de mejorar la seguridad del

inicio de sesión

en Velneo, se evita enviar el hash de la contraseña, sustituyendo el sistema de login con uno más moderno y seguro.

En breve, aparecerá publicado en

CVE

con el fin de advertir y propiciar la actualización a esta versión.

**

Funciones remotas y compatibilidad con versiones anteriores de Velneo



**

Por defecto, un servidor de la 32 no permite recibir peticiones de ejecución de funciones remotas desde versiones anteriores. En el caso de que queramos hacer esto posible, debemos una clave beta en la máquina donde tengamos instalado el servidor de la versión 32.

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración de sistema: Escribir cadena de texto

para establecerlos, ejecutándolo en 3er plano. Los parámetros se resolverán como indicamos a continuación:

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" ):

*   **Clave**: enableRetrocompatibildadFuncionesRemotas
    

*   **Valor**: 3BFD2F9B103174596FF78C23CE8DDE77EC917BEA
    

**

Rejillas: la CSS que se aplica a los ítems de rejillas, se aplican también a las columnas de campos de tipo objeto texto y objeto dibujo



**

En versiones anteriores no se aplicaban correctamente las CSS de ítem de

rejilla

en columnas de campos de tipo objeto texto enriquecido y objeto dibujo; ahora hemos mejorado la plataforma para que también las aplique.

Al aplicar el ajuste del texto (wordwrap) en una CSS, el ajuste en textos largos puede resultar distinto.

**

Cómo activar la nueva interfaz Velneo vAdmin



**

Velneo vAdmin estrena nueva interfaz. Para probarla no tienes más que

activarla

.

**

Funcionalidades no disponibles en la nueva interfaz de Velneo vAdmin y en Velneo vAdmin Web



**

*   Alta y modificación de
    
    disco
    
    .
    

**

Mejoras de rendimiento en beta



**

Si quieres disfrutar de la versión beta de estas opciones, debes activar ciertas claves beta correspondiente en el cliente (en el caso de los objetos de interfaz) y también en el servidor (en el caso de procesos).

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración del sistema: escribir cadena texto

para establecerlos, ejecutándolo en 1º y 3º plano según corresponda. Los parámetros se resolverán como indicamos a continuación

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" )

Ejecutar la aplicación, lanzar el proceso en primero y/o tercer plano, según corresponda.

En el ámbito del cliente, las claves serán operativas en siguientes sesiones que se lancen del mismo.

En el ámbito del servidor, las claves serán operativas en cuanto se reinicie.

Estas son las distintas claves beta que podemos configurar:

*   ​
    
    Rejillas
    
    estándar, carga y movimiento optimizado (requiere el
    
    estilo
    
    _Optimizado_):
    
    *   **Clave**: optimizarRejillasClient
        
    
    *   **Valor**: 8DF627183E075E86BADCF82C11D4F931E8BF62D8
        
    

*   *   **Clave**: optimizarFormulariosClientFormulas
        
    
    *   **Valor**: ED979A19EEFC93EE0E4F58FB93F432BF258E1E33
        
    

*   Procesos, optimización de parámetros:
    
    *   **Clave**: optimizarInstruccion
        
    
    *   **Valor**: F15868161C0B05825E38ADE94001D5D9926CDFB7
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   *   **Valor**: 11B804B93A06DFED1838D5B21F309414B881EEDF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   Nuevo motor
    
    Javascript
    
    con optimización de memoria y concurrencia:
    
    *   **Clave**: enableSombrasJSClass
        
    
    *   **Valor**: F0835AF8367C2AE76BC7804F8183EEB5529C5ADF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

Última actualización 6mo ago

CVE-2021-45036: Notas de la versión

CVE-2023-36893

Security analysts expect little improvement until at least the second half of the year.

Financial activity in the cybersecurity industry declined sharply in the first quarter of 2023 compared to the same period in 2022, and analysts tracking the sector expect little improvement until at least the second half of the year.

Even that expectation is tinged with some uncertainty over how the market will respond — in the short and long term — to Silicon Valley Bank's (SVB) stunning collapse in mid March and the resulting impact on venture capital funding in the sector.

And meanwhile, next quarter in fact might be the slowest for cybersecurity startup funding in years, at least one researcher predicts.

**Continued Financial Headwinds for Cyber**

"Conservatism and expectations for continued headwinds throughout 2023 were the recurring themes across the public cybersecurity company annual earnings calls held throughout the first quarter," says Eric McAlpine, founder and managing partner at Momentum Cyber. "\[Strategic decision makers\] are approaching the rest of the year with great caution and that has downstream impact for everyone else in the ecosystem."

The cautionary tone comes amid lingering fears of a broad economic recession, falling stock prices and huge layoffs at technology giants such as Amazon, Meta, Microsoft, and Tesla. Though analyst firms such as IDC expect cybersecurity spending to increase 12.1% in 2023 to $219 billion, there are some fears that inflation and rising technology costs could dent the gains organizations are hoping to get from the increased spending.

McAlpine says that through Feb. 28, Momentum Cyber has tracked 32 cybersecurity M&A deals totaling $2.6 billion in disclosed deal value and 102 financing deals totaling $2.5 billion in value. That is down sharply from the M&A deal volume of $13.8 billion across 79 deals that Momentum Cyber tracked in the year-ago quarter. In Q2 last year, that number surged to a record $89.8 billon before dipping sharply in the last half of the year.

"Both M&A and financing deal count and dollar value are down considerably from the same period in 2022 as we continue to deal with turbulent markets," he says.

Market research firm Omdia reported a similar slowdown in the first quarter of 2023 with analyst Ketaki Borade describing the volume of M&A transactions so far this year as just over half of last year's volume in the same period: 44 versus 97 in 2022.

Notable M&A examples in the first quarter of 2023 include Thoma Bravo’s $1.1 billion acquisition of Magnet Forensics, Francisco Partners' purchase of Sumo Logic for $1.7 billion, and SailPoint's acquisition of SecZetta for an undisclosed sum in January.

**Broad Investment Slowdown, Including in VC**

It was not just M&A activity that slowed in the first three months of 2023. Venture capital and other investment activity in cybersecurity companies declined as well says Richard Stiennon, chief research analyst at market research firm IT-Harvest.

Stiennon says IT-Harvest tracked a total of 41 investments totaling some $1.35 billion in cybersecurity companies through March: "That is at an annual rate of only $8 billion \[which is\] considerably down from 2022, which saw investments of $17 billion, and 2021, which set an all-time high of $24 billion." 

Of the 41 investments, there were seven rounds of $50 million or more which accounted for $893 million of the total $1.35 billion, Stiennon says. There have been no initial public offerings (IPOs) so far this year.

Despite the general slowdown in cybersecurity M&A and investment activity, the first three months of 2023 had its share of major transactions. Easily the standout among them was Israeli cloud security vendor Wiz' capital raise of $300 million in a Series D financing round in February that valued the company at an astounding $10 billion, Stiennon says. That made Wiz the highest valued private cybersecurity firm ever.

Stiennon points to a $205 million growth funding round that identity management vendor Saviynt secured from AB Private Credit Investors and $180 million in equity investments and strategic financing that MDR vendor Deepwatch raised in February, as two other major deals in 2023's first quarter. Yet another was a $500 million capital raise by Alphabet spinoff Sandbox AQ in February.

**Hot Sectors**

As has always been the case, some segments within the cybersecurity industry received more love from investors than other segments. Rik Turner, an analyst with Omdia, identified the segments that have received the largest amounts of funding so far in 2023 as network security, security management, and SecOps. These sectors have perennially been attractive to investors, he says. 

"Others such as cloud, application, and data security are now also mainstays within the overall totals," Turner says. "\[The trend\] speaks to the growing amount of cloudification of app infrastructures, which was already underway before the pandemic, but was undoubtedly turbocharged by it."

Several of the technologies that investors are betting on are also — unsurprisingly — the areas where enterprise organizations are spending most of their security dollars on as well. In a recent Dark Reading virtual event, Chenxi Wang, founder and general partner of Rain Capital, identified cloud security, network security, identity and access management, SecOps, and application security as some of the top spending priorities for organizations currently.

In comments to Dark Reading, Wang says based on her observation, overall deal volumes and the velocity of strategic deals decreased in the first three months of 2023. "We observed the same thing on the venture side. Less companies are getting funded compared to last year."

**A Cautious Cyber-Investment Outlook for the Rest of 2023**

Wang and other industry analysts have a somewhat cautious outlook on M&A and investment activity in the cybersecurity sector for the rest of the year. 

One major issue is how SVB's demise will playout over the rest of the year. Wang believes — like many others — that the SVB collapse will make it harder for startups and early-stage companies — especially those with a high-risk appetite — to get funding. 

"In the long run, it means less companies will cross the chasm to scale up and become a sustainable business," she says.

McAlpine is less concerned about the short-term implications of SVB's implosion. The immediate slowdown in financial activity that the bank's collapse triggered has already begun reversing itself. But the longer-term impact may not be evident for years. 

"Going forward, we're advising companies to avoid putting all their eggs in one basket," he says. "Working with multiple banks, for example, \[such as\] one global bank and one regional bank, can help to avoid business interruptions during this period of volatility in the banking system."

He expects that things will start to loosen up sooner rather than later. Financing and M&A activity can't remain in a state of limbo forever, he says. Many companies will still need capital to reach the next stage of their business, even if they're able to adjust and extend their runway near term. "We also expect to see more companies take a parallel approach where they pursue financing and M&A at the same time," he says. "This gives them optionality if one or the other doesn't materialize at a valuation that's acceptable to founders and investors."

Steinnon, who expected a lot of funding that didn't happen last year to be pushed into 2023, says he is underwhelmed by what he has seen so far this year. But he predicts investment and M&A activity will begin ticking upward starting in the third quarter and will at least match 2020's total of $10 billion. 

He predicts that the second quarter of 2023 will be the slowest investment quarter in years in the cybersecurity industry. 

"Fallout from SVB's failure is going to have a negative impact on all funding, including in cybersecurity," he says. "I fully expect private equity to take advantage of decreased valuations \[and\] to snap up deals from the public and private sectors."

Cybersecurity Investment Outlook Remains Grim as Funding Activity Sharply Declines

["Microsoft Outlook Information Disclosure Vulnerability"]

CVE-2020-17119

Microsoft Outlook Information Disclosure Vulnerability

CVE-2023-35636

Microsoft Outlook for Mac Spoofing Vulnerability

CVE-2022-44713

Microsoft Outlook Denial of Service Vulnerability

CVE-2022-35742

Microsoft Outlook Remote Code Execution Vulnerability

Search

outlook iniciare sesión