[German]Microsoft only introduced its Windows 365, which runs Windows 10 on Azure, at the beginning of August 2021 and also released it for customers. There is also a test version that interested parties can take a look at. Now, security researchers have discovered that the credentials (username and password) for a Windows 365 instance can be read in plain text. A deadly story, as attackers could take over corresponding installations in this way.
Advertising
Windows 365, the Cloud PC
Windows 365 is a cloud service that is supposed to open up new possibilities for companies of any size to use Windows 10 or Windows 11. Microsoft wants to move the entire operating system, including applications, data and settings, to the Microsoft Cloud. Access will then be possible from a wide variety of company devices with operating systems such as Windows, Linux, iOS, macOS or Android.
Windows 365 is touted by Microsoft as "secure by design" and is based on the zero-trust principle. Information is stored in the cloud instead of on the device. This is supposed to enable secure and productive work in a wide variety of situations. Windows 365 thus creates a new hybrid category for personal computers: the cloud PC, which leverages both the power of the cloud and the capabilities of the device.
I had reported on July 15, 2021 in the blog post Windows 365: The cloud PC presented at Inspire at Inspire about the new Windows 365. Since August 2, 2021 Windows 365 was available (see Windows 365 released). There was also the possibility to set up a test account for free to experiment with the product. However, this had to be suspended temporarily due to high demand.
Windows 365: Login data can be dumped in plaint text
I had seen the following tweet from Bejamin Delpy, but hadn't quite grasped the explosive nature of it – and was still fixated on HiveNightmare (see News about Windows 10 vulnerability HiveNightmare). The message in the tweet: A modified version of Mimikatz can be used to discover Windows 365 Azure credentials.
Advertising
Mimikatz has been developed by Benjamin Delpy and is a free and open source program to view cached credentials under Microsoft Windows, exploiting vulnerabilities. The tool is now widely used for cyberattacks.
Bejamin Delpy contacted Bleeping Computer the other day, who then addressed the issue in an article. The message: Reading Azure credentials for a user logged into the terminal server is likely possible via a vulnerability that Delpy discovered in May 2021. Well, these terminal server credentials for a user are stored in memory in an encrypted form. But Delpy found a way to get the Terminal Services process to decrypt this data. This allows him to use the modified mimikatz to read the credentials of users logged into a terminal server in unencrypted form, that is, in plain text.
The colleagues from Bleeping Computer were able to read the credentials on a set up Windows 365 test version using the modified mimikatz variant. After a connection to the Windows 365 instance was established via a browser and mimikatz was started with administrator rights, the command "ts::logonpasswords" was sufficient. Already the login data was output in plain text.
It is true that administrator privileges are required for mimikatz. But the last weeks have shown: If a malware is already on a PC, it is possible to extend the rights via vulnerabilities like PrintNightmare. On such a system, the malware could install an RDP client. If the user uses a Windows 365 instance, it would be possible for the malware to access the cloud PC and continue its activities there.
Delpy recommends two-factor authentication, smart cards, Windows Hello and Windows Defender Remote Credential Guard to protect against such attacks. However, these security features are currently missing from Windows 365 and may not come until the product is more widely deployed in enterprise environments.
