Microsoft MFA AuthQuake Flaw Exposes Accounts to Unlimited Brute Force Attacks

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the exploitation of “AuthQuake” vulnerability in Microsoft’s multi-factor authentication (MFA) implementation exposing significant weaknesses in its security configuration. A critical flaw in Fortinet’s Wireless LAN Manager (CVE-2023-34990), allowing path traversal and admin session hijacking, has been actively exploited, prompting urgent patches. Researchers also uncovered Glutton, a PHP-based backdoor targeting vulnerabilities in frameworks like Laravel and ThinkPHP, linked to the Winnti group. Additionally, Juniper Networks has warned of malicious campaigns targeting Session Smart Router (SSR) products with default passwords, resulting in the deployment of Mirai botnet malware. Meanwhile, Secret Blizzard (Turla), has been deploying Amadey bot malware to target Ukrainian military systems. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft MFA AuthQuake Flaw Exposes Accounts to Unlimited Brute Force Attacks

The “AuthQuake” vulnerability in Microsoft’s multi-factor authentication (MFA) implementation exposes significant weaknesses in its security configuration. This flaw allows attackers to bypass MFA protections using brute-force attacks without user interaction or alerts. The vulnerability arises from insufficient rate limiting and an extended validity window for time-based one-time passwords (TOTPs). Attackers exploit these gaps by spawning multiple login sessions and systematically testing all six-digit code combinations. While Microsoft has implemented stricter rate-limiting measures, the vulnerability highlights critical lessons for robust MFA configuration.

To mitigate such risks, cybersecurity researchers emphasize enabling MFA through secure methods like hardware keys, monitoring for leaked credentials, and sending detailed alerts for failed MFA attempts. Reducing code validity to 30 seconds and enforcing stricter rate limits are essential. Regular security audits and user education further enhance defenses. This incident underscores the need for vigilant MFA practices to maintain trust in this essential security layer.

2. Secret Blizzard Espionage Using Amadey Bots and Kazuar Backdoors

The Russian state-sponsored group, Secret Blizzard (Turla), has been deploying Amadey bot malware to target Ukrainian military systems with the Kazuar backdoor. This campaign demonstrates Turla’s advanced strategy of hijacking other threat actors’ tools and infrastructure, including using stolen command-and-control (C2) servers from other groups. Leveraging Amadey malware-as-a-service (MaaS) and PowerShell droppers encoded with Base64, Turla executes complex attacks that evade detection and attribution. These attacks involve reconnaissance tools like the Tavdig backdoor and Kazuar, highlighting a focus on stealth and operational precision.

Cybersecurity researchers recommend enhancing endpoint protection to detect DLL side-loading, monitoring Base64-encoded PowerShell scripts, and analyzing network traffic for connections to known Turla infrastructure. Implementing robust patch management and network segmentation is crucial for minimizing lateral movement. This campaign underscores the sophistication of nation-state actors in leveraging multi-layered attack techniques and reinforces the importance of proactive cybersecurity measures.

3. New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

Cybersecurity researchers have uncovered a PHP-based backdoor named Glutton, linked to the Chinese nation-state group Winnti (APT41), targeting countries like China, the US, Cambodia, Pakistan, and South Africa. Discovered in April 2024, Glutton exploits vulnerabilities in PHP frameworks such as Baota, ThinkPHP, Yii, and Laravel, harvesting sensitive data, injecting code, and planting backdoors. Notably, it also targets cybercriminals, using their tools against them in a “no honor among thieves” approach.

The attack begins with exploiting vulnerabilities or brute-force attacks and utilizes modular components like “task_loader” and “client_loader” for infection and persistence. Despite ties to Winnti, the malware lacks obfuscation and encrypted communication, uncharacteristic for the group. Cybersecurity researchers recommend patching PHP frameworks, monitoring web traffic for unencrypted C2 communication, and auditing systems for unusual PHP activity. Network segmentation, endpoint security updates, and educating teams on emerging threats are crucial to mitigating risks.

4. Fortinet Warning: Critical FortiWLM Vulnerability Allows Admin Access Exploits

Fortinet has issued an advisory for a critical vulnerability (CVE-2023-34990) in its Wireless LAN Manager (FortiWLM), rated at a CVSS score of 9.6. This flaw, caused by improper input validation in the `/ems/cgi-bin/ezrf_lighttpd.cgi` endpoint, allows attackers to exploit a path traversal issue via the `imagename` parameter. By accessing verbose logs, attackers can hijack administrator sessions and potentially gain full control of the device. The vulnerability affects FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4, with patches available in versions 8.6.6 and 8.5.5.

Cybersecurity researchers recommend updating to patched versions immediately and conducting security audits to ensure no exploitation occurred during the vulnerability’s zero-day period. Employing network segmentation, robust authentication like MFA, and continuous monitoring can further reduce risks. Organizations using FortiWLM, particularly in critical sectors like government and healthcare, should review incident response plans and monitor for signs of unauthorized access.

5. Mirai Botnet Targets Juniper SSR Devices with Default Passwords

Juniper Networks has warned of malicious campaigns targeting Session Smart Router (SSR) products with default passwords, resulting in the deployment of Mirai botnet malware. Exploiting default credentials and known vulnerabilities, attackers compromise devices and integrate them into a botnet used for distributed denial-of-service (DDoS) attacks. The issue emerged after customers reported unusual behavior on their networks, with affected systems displaying signs of botnet activity.

Mirai, known for its ability to exploit default credentials, continues to evolve, posing persistent risks. Cybersecurity researchers recommend changing default passwords to strong, unique ones and regularly auditing access logs for suspicious activities. Firewalls and software updates are critical to mitigating vulnerabilities. For infected devices, reimaging is the only guaranteed solution. Disabling exposed SSH services and using IP whitelists or VPNs can further restrict unauthorized access. Employing network monitoring tools is essential to detect abnormal traffic and prevent similar incidents.