Azure Active Directory Sign-Ins ๋ก๊ทธ ๋ณ์กฐ
SecureWorksยฎ CTUโข ์ฐ๊ตฌ์๋ค์ 2021๋ 5์ ๋ง, AD Connect Health Agent๊ฐ AD FS ๊ฐ์ ์ด๋ฒคํธ๋ฅผ Azure AD๋ก ์ ์กํ๋ ๋ฐ ์ฌ์ฉํ๋ ํ๋กํ ์ฝ์ ๋ํด ์กฐ์ฌํ ๊ฒฐ๊ณผ, ๋ก์ปฌ ๊ด๋ฆฌ์๊ฐ AD FS ์๋ฒ์ ์ก์ธ์คํ ์ ์๋ ์ํ ํ์์๊ฐ ์๊ฒฉ ์ฆ๋ช ์ ์ถ์ถํ๊ณ Azure AD ์ฌ์ธ ์ธ ๋ก๊ทธ ์ด๋ฒคํธ๋ฅผ ์กฐ์ํ๊ฑฐ๋ ๊ฐ์ง ๋ก๊ทธ์ธ ์ด๋ฒคํธ๋ก ๊ฐ์ ์ ๋ก๊ทธ๋ฅผ ์ค์ผ์ํฌ ์ ์์์ ๋ฐํ๋ค. Microsoft๋ 6์ 16์ผ์ ๋ณ๊ฒฝ ์ฌํญ์ ํ์ธํ๊ณ 7์ 7์ผ์ ์์ ์ ๋ฐํํ์ผ๋ฉฐ CTUโข ์ฐ๊ตฌ์๋ค์ ๋ฌธ์ ๊ฐ ํด๊ฒฐ๋์์ ํ์ธํ๋ค.
SecureWorksยฎ CTUโข ์ฐ๊ตฌ์๋ค์ด 2021๋ 5์ ๋ง AD Connect Health Agent๋ฅผ ์ฌ์ฉํ์ฌ AD FS ๊ฐ์ ์ด๋ฒคํธ๋ฅผ Azure AD๋ก ์ ์กํ๋ ํ๋กํ ์ฝ์ ๋ํด ์กฐ์ฌํ ๊ฒฐ๊ณผ, ์ํ ํ์์๊ฐ ์๊ฒฉ ์ฆ๋ช ์ ์ถ์ถํ๊ณ Azure AD ์ฌ์ธ ์ธ ๋ก๊ทธ ์ด๋ฒคํธ๋ฅผ ์กฐ์ํ๊ฑฐ๋ ๊ฐ์ง ๋ก๊ทธ์ธ ์ด๋ฒคํธ๋ก ๊ฐ์ ์ ๋ก๊ทธ๋ฅผ ์ค์ผ์ํฌ ์ ์์์ ๋ฐํ๋ค. Microsoft๋ ์์ ์ ๋ฐํํ๊ณ CTUโข ์ฐ๊ตฌ์๋ค์ ๋ฌธ์ ๊ฐ ํด๊ฒฐ๋์์ ํ์ธํ๋ค.
Azure Active Directory Sign-Ins Log Tampering
SECUREWORKSยฎ CTU โข researchers at the end of May 2021, at the end of May 2021, surveyed the protocol of using the AD Connect Health Agent to send the AD FS subscription event to Azure AD, and a threat actor who can access the AD FS server by a local manager can access the AD FS server.It is possible to extract the credentials, manipulate the log event, which is an Azure AD sign, or contaminate subscriber logs with fake login events.Microsoft confirmed the changes on June 16 and announced the revision on July 7, and the CTU โข researchers confirmed that the problem was solved.
Researchers from SECUREWORKSยฎ CTU โข surveyed the protocol of transmitting AD FS subscription events to Azure AD using AD Connect Health Agent at the end of May 2021.Or fake login events can contaminate subscriber logs.Microsoft announced the revision and CTU โข researchers confirmed that the problem was solved.
https://www.secureworks.com/research/azure-active-directory-sign-ins-log-tampering