Skip to content

Security Audit Update - 2026-02-27

Summary of Changes

This update adds 14 new critical and high-risk Azure AD applications to the security audit findings, with emphasis on healthcare systems (TASY), infrastructure exposure (Engineering Portals), and directory control risks.

Files Updated/Created

1. Vectors Database

File: /home/rx/lab/scan-dor/vectors/all-findings.jsonl - Action: Appended 14 new JSONL findings - Size: 40 lines → 54 lines (14 new findings) - Findings Added: - 10 new Azure AD applications - 3 infrastructure endpoints - 2 critical patterns

2. Main Credentials Document

File: /home/rx/lab/scan-dor/01-credenciais-encontradas.md - Action: Added new section 6 "Novos Achados - Auditoria Expandida (2026-02-27)" - Content Added: - Section 3.1: 10 new Azure AD app details - Section 6: Comprehensive findings breakdown - Section 7: Pattern analysis - Section 8: Updated remediation priorities

3. Azure Apps Expanded

File: /home/rx/lab/scan-dor/08-azure-apps-expanded.md (NEW) - Size: 13 KB - Content: - Complete inventory of 14 Azure AD applications with risk levels - Detailed application profiles with secrets, URLs, permissions - Mermaid diagram showing risk network - Secret expiry timeline - Permission escalation paths - Immediate remediation actions

4. Healthcare Risk Analysis

File: /home/rx/lab/scan-dor/09-tasy-healthcare-risk.md (NEW) - Size: 14 KB - Content: - TASY Hospital Information System analysis (CRITICAL) - Patient data at risk assessment - LGPD (Brazil) compliance violations - Attack scenarios and patient safety impact - Mermaid diagram: TASY risk chain to patient impact - Detailed remediation roadmap - Regulatory fines up to R$ 50 million

New Applications Discovered

CRITICAL RISK (1)

  1. TASY-NACIONAL-JUTTA-BATISTA-PRD (b3a95d25-d382-4a72)
  2. Hospital information system with patient medical records
  3. Production instance: hisjuttabatista.rededor.com.br
  4. LGPD violation if compromised
  5. Estimated patient impact: Thousands of patients

HIGH RISK (12)

  1. app-portal-engenharia-acesso (6751b57d-32db-439c)
  2. Internal engineering portal (Backstage-like)
  3. Production: portal.e-dor.net, portal.plt.e-dor.net

  4. Expiry: 2027-03-06

  5. app-portal-engenharia-acesso-dev (fbe8fac2-3675-4a25)

  6. Engineering portal DEV environment
  7. AWS ALB endpoint exposed: portal-alb-main-535306139.us-east-1.elb.amazonaws.com
  8. Infrastructure reconnaissance risk

  9. Expiry: 2027-06-12

  10. APEX-AUTHENTICATION (4459f6a9-f5d9-452e)

  11. Oracle APEX authentication service
  12. 6 active secrets (DEV + PRD)
  13. Redirect URIs: app.idor.org, appdev.idor.org

  14. Expiry: 2028-02-23

  15. Portal Conecta Produção (5d56154f-4a53-4de6)

  16. Directory.ReadWrite.All (full AD control)
  17. URL: portalconecta.rededor.com.br
  18. NEXT TO EXPIRE: 2026-03-27 (28 days)

  19. SAML SSO potential hijacking

  20. TASY-NACIONAL-AWS2-HML (204da288-210a-4aee)

  21. TASY test environment on AWS
  22. May contain production data snapshots

  23. Expiry: 2027-08-21

  24. RDSL Posição Financeira DEV (edeac5c0-1259-40aa)

  25. Finance portal with Lambda API Gateway integration
  26. Production endpoint: f2vlc24t34.execute-api.sa-east-1.amazonaws.com
  27. Development endpoint: ne2ozeh8k8.execute-api.sa-east-1.amazonaws.com

  28. Expiry: 2028-01-15

  29. PAT-Token-Manager (df077825-c298-4ae5) - Already found, expanded

  30. User_impersonation(DevOps) scope

  31. Expiry: 2027-01-31

  32. dor-dev-hub (8a7d0eab-4320-46da) - Already found, expanded

  33. DevOps access

  34. Expiry: 2028-02-13

  35. sp-aws-migration-assessment-rdor (6f662732-49ad-47a3)

    • AWS infrastructure assessment service principal
    • Expiry: 2026-05-10 (72 days)

  36. RedeDor_Neoh (8107cd20-a527-4a2b)

    • Daemon/background application
    • No declared permissions (suggests mobile or service)
    • Expiry: 2028-02-04

  37. AWS ALB Infrastructure

    • Engineering Portal ALB publicly exposed in Azure AD config
    • Status: UNREACHABLE_FROM_PUBLIC (internal only)
    • But endpoint metadata leaked in app configuration

  38. Lambda API Gateway

    • RDSL Finance RDSL Posição Financeira endpoints
    • Both return 403 (alive but protected)

MEDIUM RISK (2)

  1. AWS Migration Assessment (6f662732-49ad-47a3)

    • Expiry: 2026-05-10

  2. RedeDor_Neoh (8107cd20-a527-4a2b)

    • Expiry: 2028-02-04

Critical Patterns Identified

Pattern 1: Directory.ReadWrite.All Proliferation

Risk Level: CRITICAL

Three applications with full Azure AD directory control: - CyberArk Identity RDOR - Portal Conecta Produção - Portal de Relacionamento - Dev (via app roles)

Impact: Compromise of ANY = full tenant control

Pattern 2: Production/Development Secret Mixing

Risk Level: HIGH

  • APEX has 6 secrets across DEV and PRD
  • TASY has separate apps but same architecture
  • RDSL exposes both endpoints

Impact: DEV compromise → PRD compromise

Pattern 3: Infrastructure Endpoint Disclosure

Risk Level: HIGH

  • Engineering ALB endpoint in Azure AD config
  • Lambda API Gateway URLs in metadata
  • idor.org domain hints at separate systems

Impact: Network topology reconnaissance easier

Pattern 4: Healthcare Data Systems

Risk Level: CRITICAL

  • TASY systems contain sensitive medical records
  • No visible encryption indicators
  • LGPD compliance risk (R$ 50 million+ fines possible)

Expiry Timeline

URGENT - Next 30 Days

  • Portal Conecta: 2026-03-27 (28 days)
  • Portal Prd Audit Secret: 2026-03-01 (2 days - already identified)

Watch - Next 90 Days

  • AWS Migration Assessment: 2026-05-10 (72 days)
  • MSAL Dev: 2026-05-09 (71 days)

Long-term

  • CyberArk: 2026-12-17 (294 days)
  • TASY PRD: 2027-12-11 (653 days)
  • APEX: 2028-02-23 (757 days)

Compliance & Regulatory Impact

LGPD (Lei Geral de Proteção de Dados) - Brazil

TASY healthcare systems subject to strict data protection: - Potential fines: up to 2% of annual revenue or R$ 50 million - Per violation, per patient affected - Hospital closure in severe cases - Mandatory patient notification within 72 hours

Healthcare Data Protection

  • HIPAA equivalent (Brazil - LGPD)
  • Patient Safety implications
  • Medical record integrity requirements
  • Regulatory investigation risk

Immediate Actions Required

TODAY (Critical)

  1. Rotate TASY-NACIONAL-JUTTA-BATISTA-PRD secret
  2. Rotate Portal Conecta secret (expires 2026-03-27)
  3. Remove Portal Prd audit secret

THIS WEEK (High Priority)

  1. Audit Directory.ReadWrite.All permissions
  2. Rotate APEX secrets (6 active)
  3. Review Portal Dev Graph API compromise
  4. Restrict Engineering Portal ALB disclosure
  5. Audit TASY HML environment

THIS MONTH (Medium Priority)

  1. Implement secret rotation automation
  2. Enable audit logging for all critical apps
  3. Conditional access policies
  4. LGPD compliance audit for healthcare

Documentation Structure

scan-dor/
├── 01-credenciais-encontradas.md (UPDATED - added section 6)
├── 08-azure-apps-expanded.md (NEW - complete app inventory)
├── 09-tasy-healthcare-risk.md (NEW - healthcare analysis)
├── vectors/
│   └── all-findings.jsonl (UPDATED - 54 lines total)
└── AUDIT-UPDATE-2026-02-27.md (THIS FILE)

Statistics

  • New Azure AD Apps: 10 new applications found
  • New Infrastructure Findings: 3 endpoints
  • New Patterns: 2 critical patterns
  • Total JSONL Findings: 54 lines (14 additions)
  • Healthcare Systems at Risk: 2 TASY instances
  • Patient Data at Risk: Thousands of patients (Jutta Batista hospital)
  • Applications with Directory Write: 3 (CRITICAL)
  • Secrets Expiring in <30 days: 1 (Portal Conecta)

Risk Summary

Severity Count Key Finding
CRITICAL 1 TASY Hospital Information System - Patient Data Breach Risk
HIGH 12 Multiple apps with Directory write, AWS infrastructure exposure
MEDIUM 2 AWS migration assessment, Neoh daemon app
TOTAL 15 14 new findings + 1 infrastructure pattern

References to Detailed Analysis

  • Azure Apps Inventory: /home/rx/lab/scan-dor/08-azure-apps-expanded.md
  • Healthcare Risk Analysis: /home/rx/lab/scan-dor/09-tasy-healthcare-risk.md
  • Main Credentials Report: /home/rx/lab/scan-dor/01-credenciais-encontradas.md (Section 6)
  • Findings Vector Database: /home/rx/lab/scan-dor/vectors/all-findings.jsonl

Audit Date: 2026-02-27 Classification: INTERNAL SECURITY FINDINGS Distribution: Security Team, Management, Compliance