Benjamin Delpy, the popular security researcher and author of the Mimikatz tool, has devised a method to retrieve a user’s Microsoft Azure credentials in plaintext from Microsoft’s new Windows 365 Cloud PC service using Mimikatz.
Mimikatz is an open-source project that allows gathering credential data from Windows systems.
Early this month, Microsoft launched the Windows 365 Cloud PC service that allows its customers to deploy Windows 10 desktops in the cloud and access them via RDP or using a browser.
Delpy discovered that the service allows a malicious program to dump the Microsoft Azure plaintext credentials (email address and passwords) for logged-in users.
The experts exploited a vulnerability he discovered in May that allows him to retrieve the plaintext credentials for users logged into a Terminal Server.
BleepingComputer, who first reported the news, successfully tested the technique on a free Cloud PC trial on Windows 365.
“After connecting through the web browser and launching mimikatz with Administrative privileges, we entered the “ts::logonpasswords” command and mimikatz quickly dumped our login credentials in plaintext, as shown below.” states BleepingComputer.
The attack scenario described by Bleeping computer sees the victim opening a phishing email with a malicious Office attachment on his Windows 365 Cloud PC. Upon enabling the macros in the document, it can install a remote access tool that allows an attacker to access the Cloud PC.
Then the attacker can escalate privileges using multiple issues, including PrintNightmare flaws, and then dump the credentials using Mimikatz.
Delpy explained that 2FA and Windows Defender Remote Credential Guard can protect the users against this technique, but Windows 365 has yet to support it.
(SecurityAffairs – hacking, Mimikaz)