Cybersecurity agencies in the United States and other countries are urging organizations to harden the security around Microsoft’s Active Director (AD) solution, which has become a prime target of hackers looking to compromise enterprise networks. Semperis last year wrote about protecting Active Directory from Kerberoasting, a technique used by threat groups to exploit the Kerberos authentication protocol to extract service account credentials. CISA and the FBI joined with counterparts from Canada, the UK, Australia, and New Zealand in issuing a recent report that detailed more than a dozen techniques that threat actors use when targeting Active Directory and steps organizations can take to protect against them. The Five Eyes agencies noted a range of compromise techniques hackers use, from password spraying (a brute-force attack using a list of common passwords) to compromising Group Policy Preferences passwords or AD Certificate Servers and creating golden certificates, a persistence tactic. The agencies – which make up the Five Eyes intelligence alliance – noted that Active Directory is the most widely used authentication and authorization tool in enterprise networks. “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. Every AD user has enough permission within Active Directory to enable them to both identity and exploit its weaknesses, creating an attack surface that is both large and difficult to defend, according to the report. Through this persistence, they can remotely log into organizations, bypass multi-factor authentication (MFA) controls, and remain undetected in Active Directory for months or years. “These services provide multiple authentication options, including smart card logon, as well as single sign-on with on-premises and cloud-based services,” the agencies wrote. They also noted that there are multiple services within AD, including Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), and Active Directory Certificate Services (AD CS). “It is often these hidden relationships, which are overlooked by organisations, that malicious actors exploit, sometimes in trivial ways, to gain complete control over an organisation’s enterprise IT network,” they wrote. “This allows users to access cloud-based systems and services,” the agencies wrote. They pointed to commercial and open source tools enterprises can use to protect AD, including BloodHound for identifying misconfigurations and other weaknesses that can be exploited, Netwrix PingCastle, which creates an AD security report, and Purple Knight, which similarly provides security information about an AD environment. Active Directory has long been known as a popular target of threat groups. “The benefit of this technique is that it does not rely on correlating event logs, providing a strong indication a compromise has happened,” the agencies wrote. Bad actors that get control of an enterprise’s AD can gain privileged access to all systems and users that the tool manages, giving them multiple avenues for running their attacks. “Notably, this technique does not rely on detecting the tooling used by malicious actors (like some other detection techniques do), but instead detects the compromise itself. There are other ways hackers can leverage AD to compromise organizations, including establishing persistence in their IT systems. Getting them out of it can be costly and time-consuming, possibly requiring such actions as resetting all users’ passwords or rebuilding Active Directory.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 01 Oct 2024 12:43:05 +0000