Microsoft announced that the new Windows 365 Cloud PC was going to be generally available earlier this month. Now, a security researcher has come forward claiming that there is a bug in the offering which can be exploited by attackers to extract Azure users’ credentials in unencrypted plain text.
Benjamin Delpy said he used the open-source Mimikatz software, a creation of his, to get Azure users’ credentials from Windows 365.
In a video that he posted on Twitter, Delpy showed how anyone with access to a user’s system could steal their Azure password.
The exploits of Benjamin Delpy
Speaking to Bleeping Computer, Delpy said that Microsoft offered him a free trial of the Windows 365 service. He used that account to test the security. Delpy reports that Windows 365 failed to stop Mimikatz from extracting the Microsoft Azure email address and password in plaintext for logged-in users.
The Mimikatz software also exploited a security bug known as PrintNightmare. That bug was also discovered by the researcher earlier this year. Delpy said Mimikatz, after exploiting the PrintNightmare bug, allowed him to dump the credentials he wanted into a Terminal server.
Bleeping Computer tested the Windows 365 vulnerability and confirmed it exposed Azure credentials.
New products, new problems
The catch here is, the vulnerability needs one to have admin privileges to exploit. However, users are not unconcerned. Delpy recommends security features like 2FA (two-factor authentication), smart cards, Windows Hello, and Windows Defender Remote Credential Guard to protect the credentials.
However, these features are not available for Windows 365 yet.
Microsoft announced the product on August 2, which can connect users to an always-on cloud PC from anywhere with an internet connection, using web-browsers.