Yiftach Keshet
Jul 21, 2022

How PassBleed Exposes On-Prem Workstations and Servers to Critical Risk

Security researchers from Authomize recently uncovered how the PassBleed technique enables attackers to access Cleartext usernames and passwords of Okta users by intercepting SCIM traffic. While at first this risk appears to relate exclusively to enterprise SaaS and web applications that are managed by Okta, in fact the hybrid nature of today’s IT infrastructure – where 97% of organizations have core business resources both on-prem and in the cloud – suggests a far wider risk. This post examines how PassBleed represents a serious risk to the on-prem domain environment and explores mitigation actions security teams can take.

Understanding PassBleed

The PassBleed attack technique targets the way in which Okta sends usernames and passwords to a designated SCIM server. As Authomize points out, the configuration and connection setup of a SCIM server can be done by any user with an App Admin role. Moreover, in some configurations this credential data is shared between the SCIM server and Okta over an insecure HTTP protocol, exposing passwords in Cleartext to any attacker intercepting the traffic. (Read a full analysis of the PassBleed technique here.)

The Risk to SaaS and Web Apps

A threat actor that performs this attack successfully could then use the Cleartext passwords to open a browser and log in to any enterprise application managed by Okta. This would put any sensitive data residing in these applications at risk of compromise.

While a PassBleed attack scenario will indeed provide an attacker with usernames and passwords, having a multi-factor authentication (MFA) solution in place can mitigate a significant part of the risk. While attackers may successfully obtain valid credentials, MFA would prevent them from being able to use them for malicious access. It’s worth noting that MFA is known to reduce by 99.9% the risk of account compromise, making it extremely effective in this scenario.

But the actual risk exposure doesn’t end there.

Why the On-Prem Environment is Also Exposed

Today, the vast majority of organizations maintain a hybrid environment with core business resources residing both on-prem and in the cloud. For ease of operations, common IT practice is to use the same username-password combination for the domain environment as well (i.e., both physical and virtual workstations and servers). Thus, any compromised credentials as a result of PassBleed could be used for initial access to sensitive resources (through VPN or other remote connection methods), as well as lateral movement in the on-prem environment.

But MFA protection for the on-prem environment is severely lacking, unlike for SaaS and web applications — for example, for legacy applications that support key business operations. This is because these apps were produced well before MFA became commonplace, and thus are not part of its protection. Remote command line access to workstations and servers is another element MFA doesn’t protect against. And while this type of access is commonly practiced by admins to troubleshoot issues at employees’ computers, it is also often the interface of choice by threat actors to perform lateral movement and spread ransomware.

The Attack Scenario: Employing Compromised Credentials to Spread Ransomware

  1. Attackers execute PassBleed against an organization and exfiltrate Cleartext usernames and passwords from the HTTP traffic.
  2. The threat actor performs initial compromise via one of the common vectors (e.g., weaponized email, malicious RDP connection)
  3. Once a foothold is established on a target endpoint, the attacker then uses the usernames and passwords to rapidly move to other machines in the environment. The purpose of this lateral movement is to discover a machine from which mass encryption of multiple machines can be achieved – typically a Domain Controller (DC).
  4. Note that by having a range of usernames and passwords, the attacker can simply log in via command line in the exact same manner a legitimate user does (avoiding techniques like credential dumping, Pass-the-Hash, Kerberoasting, etc.).
  5. Upon reaching the DC, the attacker accesses a shared network folder and executes the ransomware payload on all the machines it can access. Again, this is done in the same way an admin would run a health-check script or any other piece of software on the machines in the environment.

Close the MFA Gap with Silverfort

Silverfort’s Unified Identity Protection solution is the first platform purpose-built to proactively prevent, detect, and respond to identity threats that utilize compromised credentials to access targeted resources. Silverfort extends MFA protection with Okta Verify to all users, systems and environments — including the ones listed above in the attack scenario.

With Silverfort in place, the attackers would have encountered significant difficulties in performing lateral movement with the stolen credentials. This is because when the malicious authentication was attempted, Silverfort would have prompted the real users with MFA, asking them if the access attempt was legitimate. When the users would have denied the access, the attacker’s access would’ve been blocked and the attack thwarted.

Secure the Enterprise with End-to-End Protection

PassBleed is a clear example of why the hybrid enterprise must be viewed as a single entity. A risk to credentials in the cloud can critically impact the security posture of the on-prem environment and vice versa. Acknowledging the security implications of this interconnectivity is crucial to building a holistic security architecture that can confront the escalating identity threat landscape and keep organizations secure.

Learn more about Silverfort’s Unified Identity Protection platform, including lateral movement protection and ransomware prevention.