GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 12-Nov-2024 20:48:29 JST Kevin Beaumont Kevin Beaumont

    Anybody else seeing Microsoft Azure Active Directory Connect account bruteforce?

    AADSignInEventsBeta
    | where Application == “Microsoft Azure Active Directory Connect”

    In particular error code 50126 and 50053

    In conversation about 16 days ago from cyberplace.social permalink
    • Embed this notice
      jutaa (jutaa@cyberplace.social)'s status on Tuesday, 12-Nov-2024 22:35:23 JST jutaa jutaa
      in reply to

      @GossiTheDog Yes, started 23/10. All VN + RU addresses, but each IP is only seen once.

      In conversation about 16 days ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 12-Nov-2024 23:01:31 JST Kevin Beaumont Kevin Beaumont
      in reply to

      For clarity on this one, there’s no reason standard users or admins should be logging in with the Microsoft Azure Active Directory Connect app - it looks like low grade brute force to me.

      In conversation about 16 days ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 13-Nov-2024 01:22:11 JST Kevin Beaumont Kevin Beaumont
      in reply to

      I think Microsoft security peeps may want to go through their logs for Microsoft Azure Active Directory Connect app usage from 23rd October 2024 onwards - we’re all seeing the same thing, low and slow brute force, comes up as single factor auth (probably because Entra AD Connect is needed for directory sync for MFA to function).

      In conversation about 16 days ago permalink
    • Embed this notice
      JJ (guitarfosec@cyberplace.social)'s status on Wednesday, 13-Nov-2024 01:42:39 JST JJ JJ
      in reply to

      @GossiTheDog Same. All hits are RU and VN using the browser "Rich Client 4.36.0.0".

      In conversation about 16 days ago permalink
    • Embed this notice
      V4N4D1S (v4n4d1s@mastodon.social)'s status on Wednesday, 13-Nov-2024 04:45:38 JST V4N4D1S V4N4D1S
      in reply to

      @GossiTheDog Multiple hundred attempts in the last 30 days, 90% from RU, some from VN. All used accounts are known to having leaked credentials in the last few years. Is MFA forced for the AAD Connect app in the security defaults?

      In conversation about 16 days ago permalink
    • Embed this notice
      Security Protégé (securityprotege@cyberplace.social)'s status on Wednesday, 13-Nov-2024 15:32:56 JST Security Protégé Security Protégé
      in reply to

      @GossiTheDog Yes can see events from 23/10 but not a large volume. All VN + RU IP addresses.

      In conversation about 15 days ago permalink
    • Embed this notice
      r00tjunkie (r00tjunkie@cyberplace.social)'s status on Monday, 18-Nov-2024 23:06:57 JST r00tjunkie r00tjunkie
      in reply to

      @GossiTheDog We started running these queries on the 14th after seeing this shared on H-ISAC, saw plenty of errors from RU, VN and then it just stopped - not sure if anyone else saw it stop on the 14th

      In conversation about 10 days ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.