Microsoft’s new Cloud PC offering should be & Windows 365 really is a huge hit – especially in the area of corporate security. But according to one report, there appears to be one big problem above all. & #X202f;
Microsoft has launched the new cloud service Windows 365. However, the corporate software giant has introduced a service that provides work computers by default and includes all the necessary software and resources. Thanks to the cloud solution, work environments should be completely secure, as Microsoft promises.
The presentation follows the “zero confidence principle”. Among programmers, this refers to the security principle of preventing any access until it is needed and authenticated.
Security researcher discovers glaring vulnerabilities
It appears that a security researcher has now successfully identified the Azure login data for the Windows 365 account, as reported by winfuture.de. The “online journal Bleeping Computer” with security researcher Benjamin Delby, known for his project tool Mimikatz, explains how this was possible. Mimikatz is an open source cybersecurity project that enables researchers to test various vulnerabilities for credential theft and identity verification.
Delpy has successfully used a modified version of Mimikatz to determine your Azure login data for Windows 365. So Windows 365 exposes your “Microsoft Azure” credentials in plain text so that Delpy can use them to sign in. According to the information, Delpy was one of the first Windows 365 testers to get one of the two test accounts for two months. Microsoft invited companies to participate in the free test, but then ended the offer again after rushing to get access to the test.
Delpy managed to fool the Terminal Services process
According to the report, the discovered security flaw enabled Delpy to read the clear text credentials of users who are logged into a terminal server. These credentials are usually encrypted, but Delpy was able to trick the Terminal Services process into decrypting the process itself and providing the data.
This vulnerability can be exploited by a third party, for example, if a phishing email message with a malicious Microsoft Defender attachment is bypassed. An attacker can get admin rights and then get the clear text login data without any problems.